mirror of
https://github.com/clearml/dropbear
synced 2025-02-26 05:38:53 +00:00
merge 2017.75
This commit is contained in:
commit
45b27b0194
.hgsigs.hgtags.travis.ymlMakefile.inagentfwd.halgo.hatomicio.catomicio.hauth.hchannel.hchansession.hcli-agentfwd.ccli-auth.ccli-authinteract.ccli-authpasswd.ccli-authpubkey.ccli-chansession.ccli-kex.ccli-main.ccli-runopts.ccli-session.ccli-tcpfwd.ccommon-algo.ccommon-channel.ccommon-kex.ccommon-runopts.ccommon-session.ccompat.ccrypto_desc.cdbrandom.cdbutil.cdbutil.hdebug.hdefault_options.hdefault_options.h.indropbear.8dropbearconvert.cdropbearkey.cdss.cdss.hecc.cecc.hecdsa.cecdsa.hgendss.cgendss.hgenrsa.cgenrsa.hgensignkey.cifndef_wrapper.shkex.hkeyimport.cloginrec.cltc_prng.cltc_prng.hnetio.cnetio.hoptions.hrsa.crsa.hrunopts.hscp.cscpmisc.hsession.hsignkey.csignkey.hsvr-agentfwd.csvr-auth.csvr-authpam.csvr-authpasswd.csvr-authpubkey.csvr-authpubkeyoptions.csvr-chansession.csvr-kex.csvr-main.csvr-runopts.csvr-session.csvr-tcpfwd.csvr-x11fwd.csysoptions.htcp-accept.cx11fwd.h
1
.hgsigs
1
.hgsigs
@ -20,5 +20,6 @@ af074dbcb68ff8670b3818e0d66d5dc6f1bd5877 0 iQIcBAABCgAGBQJWVdQfAAoJEPSYMBLCC7qs+
|
||||
5bb5976e6902a0c9fba974a880c68c9487ee1e77 0 iQIcBAABCgAGBQJWVyIKAAoJEESTFJTynGdzQosP/0k5bVTerpUKZLjyNuMU8o0eyc7njkX8EyMOyGbtcArKpzO2opSBTRsuCT9Zsk1iiQ1GMTY1quKD7aNr86Hipqo4th/+ZXmLe9mmaCDukKjD0ZYC4dBVUy6RSUAMvdkDP9sZs7CMTO/22a9SqOsKTv3s2NN6XnsBGnmNbvVx5hkAk5hMVNFrjKIaexzI/7bWQIDRo2HQCaWaL06JvWEDSEQd2mynGSXxT/+m4hBnuGg6qxn2pd4XfG0g10tDAFx64HQkWgZqSB+F8z71Cvfjondy1zjJYgtABqNlwCKQJZhRUW2+PblqQnz08TUy83XN2vtisOju4avGcHSaBgBbMvg8Wx4ZtM7sPP9pLrhhOTd5ceERHeTceTJy+iI1SQFvccjrRfs5aJ0zAQX5q6f4bV0zp5SmxkvnZUEkZIoetkM8VrPOYugqx31LtHAWfVT9NM+VkV/rrxLhk6J0giIQvC9MPWxRDileFVDszPiOgTLcxWjOziOLT+xijcj7dtx1b/f2bNCduN5G7i+icjjTlCNtyRPRqhBqn705W7F+xESP2gsscM/1BjQ7TGidU5m1njdkUjbrqm3+Qic6iqkG7SfETHmQB9mHqpJ0hACRPvZlhwB7oimNHllkrlw8UJw9f0SiuLjfERIgVS2EOp+mAia0RU7MlTt19o017M1ffEYL
|
||||
926e7275cef4f4f2a4251597ee4814748394824c 0 iQIcBAABCgAGBQJWYES4AAoJEESTFJTynGdzdT0P/0O/1frevtr698DwMe6kmJx35P6Bqq8szntMxYucv0HROTfr85JRcCCSvl/2SflDS215QmOxdvYLGLUWPJNz/gURCLpzsT88KLF68Y1tC72nl4Fj+LGIOlsWsvwEqQqw0v4iQkHIfcxI6q7g1r9Hfldf/ju4bzQ4HnKLxm6KNcLLoAsuehVpQ+njHpLmlLAGHU5a84B7xeXHFR+U/EBPxSdm637rNhmpLpkuK2Mym/Mzv7BThKDstpB8lhFHIwAVNqi3Cy4nGYxFZOJpooUN9pDornqAwuzHmOAMs9+49L8GZ1de5PBRGyFKibzjBIUWPEU9EIkfJVaVwTlqYK8Q/IRi9HjITPx6GpE8cZhdSvAibrQdb6BbIDrZ8eCvD9vnod6Uk0Jb9/ui6nCF9x+CN/3Qez4epV5+JCMYsqCiXFkVPm9Lab6L2eGZis7Q2TXImA/sSV+E4BGfH2urpkKlnuXTTtDp4XRG+lOISkIBXgjVY+uy8soVKNdx1gv+LeY8hu/oQ2NyOlaOeL47aSQ3who4Pk6pVRUOl6zfcKo9Vs6xDWm35A3Z6x/mrAENaXasB0JrfY5nIbefJUpbeSmi76fYldU98HdQNHPHCSeiKVYl7v/B6gi2JXp5xngLZz/5VVAurago7sRmpIp7G/AqU6LNE85IUzG8aQz8AfR0d1dW
|
||||
fd1981f41c626a969f07b4823848deaefef3c8aa 0 iQIcBAABCgAGBQJW4W2TAAoJEESTFJTynGdzuOcP/j6tvB2WRwSj39KoJuRcRebFWWv4ZHiQXYMXWa3X0Ppzz52r9W0cXDjjlp5FyGdovCQsK+IXmjPo5cCvWBrZJYA6usFr9ssnUtTC+45lvPxPYwj47ZGPngCXDt7LD+v08XhqCu4LsctXIP/zejd30KVS1eR2RHI+tnEyaIKC0Xaa0igcv74MZX7Q8/U+B730QMX5adfYAHoeyRhoctRWaxVV3To7Vadd9jNXP45MRY5auhRcK7XyQcS85vJeCRoysfDUas4ERRQWYkX+68GyzO9GrkYFle931Akw2K6ZZfUuiC2TrF5xv1eRP1Zm2GX481U4ZGFTI8IzZL8sVQ6tvzq2Mxsecu589JNui9aB2d8Gp2Su/E2zn0h0ShIRmviGzf2HiBt+Bnji5X2h/fJKWbLaWge0MdOU5Jidfyh9k0YT7xo4piJLJYSaZ3nv+j4jTYnTfL7uYvuWbYkJ1T32aQVCan7Eup3BFAgQjzbWYi1XQVg6fvu8uHPpS3tNNA9EAMeeyTyg1l6zI2EIU5gPfd/dKmdyotY2lZBkFZNJqFkKRZuzjWekcw7hAxS+Bd68GKklt/DGrQiVycAgimqwXrfkzzQagawq2fXL2uXB8ghlsyxKLSQPnAtBF2Jcn5FH2z7HOQ+e18ZrFfNy0cYa/4OdH6K5aK1igTzhZZP2Urn0
|
||||
70705edee9dd29cd3d410f19fbd15cc3489313e2 0 iQIcBAABCgAGBQJW7CQRAAoJEESTFJTynGdzTj0QAJL38CKSZthBAeI9c6B+IlwIeT6kPZaPqk1pkycCTWOe87NiNU9abrsF+JrjTuRQiO1EpM2IvfQEIXTijUcMxvld3PnzrZDDv6UvBLtOkn3i++HSVRO0MOuTKI8gFDEPUxRtcaCKXEbqYnf1OTK25FT09Vb//qP9mK1thvlLJmbV+D2a9MkMK66rom1d1h+347IsuwsM+ycHjB80VVAQLA7VYLC5YIwmL17dSmcQLvetfikAMwwmUE+KES4qiLSaqOcAWcKcU67RZzgMMv5o0rESlQmv1nj0mHZtHoUR71sd21emPaRXLOr0oT5YogWUphKq2qVthRn2B06+vd3hPdtn92CmJw9j7zT2jl4OeSjNm9qfAajsRzHIANssFxkGAb7w/LxcMoO29JC+01iUUJMdOVm+4Ns6wGI7qxssWPKdB+VbQUDlHrXLR+sopO524uhkYoWB6DVfTj4R6tImaHtj5/VXON0lsYaLGj8cSH60emL6nNQ0lYV/bSlk6l0s+0x3uXGZnp9oKA+vqMzHfG3vJeMm6KUqtFVjUsYx+q8nHm5/SlWxj1EwnkH8s8ELKZAUXjd76nWEwJ7JFRNRSQWvjOUh3/rsOo4JopzZXPsjCjm+Vql9TG0X6hB21noai32oD5RvfhtR/NX6sXNS5TKZz/j/cMsMnAAsSKb6W7Jm
|
||||
9030ffdbe5625e35ed7189ab84a41dfc8d413e9c 0 iQIcBAABCgAGBQJXkOg0AAoJEESTFJTynGdzc1kP/3vSKCnhOOvjCjnpTQadYcCUq8vTNnfLHYVu0R4ItPa/jT6RmxoaYP+lZnLnnBx9+aX7kzwHsa9BUX3MbMEyLrOzX2I+bDJbNPhQyupyCuPYlf5Q9KVcO9YlpbsC4q5XBzCn3j2+pT8kSfi9uD8fgY3TgE4w9meINrfQAealfjwMLT8S/I49/ni0r+usSfk/dnSShJYDUO7Ja0VWbJea/GkkZTu30bCnMUZPjRApipU3hPP63WFjkSMT1rp2mAXbWqyr9lf8z32yxzM9nMSjq4ViRFzFlkGtE3EVRJ4PwkO7JuiWAMPJpiQcEr+r52cCsmWhiGyHuINo01MwoMO9/n6uL1WVa3mJcE9se3xBOvfgDu2FRFGCAdm1tef+AGVo9EG1uJXi0sX2yUc6DMeuYaRWrXMMlZh7zp9cuNU9Y/lLui9RFmq66yeXG3Z2B72doju3Ig5QGrNNw2AOsSzeHdAtOp6ychqPcl9QfIeJQG18KyPSefZKM3G8YRKBRIwXFEH6iZJe5ZIP4iXrHDMn2JqtTRtDqKR8VNDAgb9z4Ffx8QRxFyj5JzTTMM1GddHb9udLvTQlO0ULYG7hCSMRNzvUBE2aTw8frjLRyfyyg3QpDu/hz8op8s1ecE8rTCD8RuX9DiiylNozypPtGNS+UDbAmkc1PCWaRpPVl+9K6787
|
||||
5c9207ceedaea794f958224c19214d66af6e2d56 0 iQIzBAABCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAlkdtooACgkQRJMUlPKcZ3P6ZxAAmLy/buZB/d96DJF/pViRWt/fWdjQFC4MqWfeSLW02OZ8Qkm1vPL3ln6WPHC2thy3xZWVg2uan3pLk/XXnsIFu8Q7r1EAfFFpvlMUmdl7asE8V6ilaeqmiI7bIvGMFbf4cZkQliLjiFkJX56tFHRCNi+rb7WgRuru3/GzPXUq2AvXZvFpFJgik0B72TxVlmCKeBRZq1FvP0UhAH48RJWYJksdEyzh2paMfjX9ZO5Q2SFFrmPw6k2ArdJFC1AYcgceZC84y06RKJ0WiSntUPlEUXgQbQVVWbtQDhjfJXMr/beuroNdT/vsRraLVkAzvhaDXNnHlAJNLQxci+AcLpnzZhxMW+ax7RRtrpXGxRN4cs0lBGUcSkaDybFqMYXwEjXAE8w6fdJRWCIlxctkAW/iNEO4kAG97hI2Qwcw5oU2Ymnv09zyGR+XJE35pJqPulJHExdwanJHvmjH0QF7TNFS82yxS5dKnP954cj3Lu9SWGYWjxQJRmLtOwb+lqqol4VTxG7Ois4uef9/Tpp9skeMZXVeNlpn2wrp6iFcX3uiiVDg9VKkl3ig6UqCiqQSuiIN87RXwUOeHXlCnW3adz3Xei0ziBrwLSql7lBIHGEAlUUNmJ3CrR8IwQtcynGEMKfNIeZ/XK+uNlm9cJIqZf1fzqc8KexlyS9AS0i/kiYZTr4=
|
||||
|
1
.hgtags
1
.hgtags
@ -52,5 +52,6 @@ cbd674d63cd4f3781464a8d4056a5506c8ae926f DROPBEAR_2015.67
|
||||
79a6ef02307d05cb9dda10465cb5b807baa8f62e DROPBEAR_2015.70
|
||||
9a944a243f08be6b22d32f166a0690eb4872462b DROPBEAR_2015.71
|
||||
78b12b6549be08b0bea3da329b2578060a76ca31 DROPBEAR_2016.72
|
||||
309e1c4a87682b6ca7d80b8555a1db416c3cb7ac DROPBEAR_2016.73
|
||||
0ed3d2bbf956cb8a9bf0f4b5a86b7dd9688205cb DROPBEAR_2016.74
|
||||
c31276613181c5cff7854e7ef586ace03424e55e DROPBEAR_2017.75
|
||||
|
@ -41,7 +41,9 @@ install:
|
||||
script:
|
||||
- autoconf && autoheader && ./configure "$BUNDLEDLIBTOM" CFLAGS="-O2 -Wall -Wno-pointer-sign $WEXTRAFLAGS" --prefix="$HOME/inst"
|
||||
- if [ "$NOWRITEV" = "1" ]; then sed -i -e s/HAVE_WRITEV/DONT_HAVE_WRITEV/ config.h ; fi
|
||||
- make -j3 install
|
||||
- make -j3
|
||||
# avoid concurrent install, osx/freebsd is racey (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208093)
|
||||
- make install
|
||||
|
||||
after_success:
|
||||
- ~/inst/bin/dropbearkey -t rsa -f testrsa
|
||||
|
25
Makefile.in
25
Makefile.in
@ -24,6 +24,10 @@ CFLAGS+=-I$(srcdir)/libtomcrypt/src/headers/
|
||||
LIBTOM_LIBS=$(STATIC_LTC) $(STATIC_LTM)
|
||||
endif
|
||||
|
||||
ifneq ($(wildcard localoptions.h),)
|
||||
CFLAGS+=-DLOCALOPTIONS_H_EXISTS
|
||||
endif
|
||||
|
||||
COMMONOBJS=dbutil.o buffer.o dbhelpers.o \
|
||||
dss.o bignum.o \
|
||||
signkey.o rsa.o dbrandom.o \
|
||||
@ -76,6 +80,8 @@ bindir=@bindir@
|
||||
sbindir=@sbindir@
|
||||
mandir=@mandir@
|
||||
|
||||
.DELETE_ON_ERROR:
|
||||
|
||||
CC=@CC@
|
||||
AR=@AR@
|
||||
RANLIB=@RANLIB@
|
||||
@ -155,7 +161,6 @@ inst_%: %
|
||||
|
||||
inst_dropbearmulti: $(addprefix insmulti, $(PROGRAMS))
|
||||
|
||||
|
||||
# for some reason the rule further down doesn't like $($@objs) as a prereq.
|
||||
dropbear: $(dropbearobjs)
|
||||
dbclient: $(dbclientobjs)
|
||||
@ -195,18 +200,18 @@ link%:
|
||||
-ln -s dropbearmulti$(EXEEXT) $*$(EXEEXT)
|
||||
|
||||
$(STATIC_LTC): options.h
|
||||
cd libtomcrypt && $(MAKE)
|
||||
$(MAKE) -C libtomcrypt
|
||||
|
||||
$(STATIC_LTM): options.h
|
||||
cd libtommath && $(MAKE)
|
||||
$(MAKE) -C libtommath
|
||||
|
||||
.PHONY : clean sizes thisclean distclean tidy ltc-clean ltm-clean
|
||||
|
||||
ltc-clean:
|
||||
cd libtomcrypt && $(MAKE) clean
|
||||
$(MAKE) -C libtomcrypt clean
|
||||
|
||||
ltm-clean:
|
||||
cd libtommath && $(MAKE) clean
|
||||
$(MAKE) -C libtommath clean
|
||||
|
||||
sizes: dropbear
|
||||
objdump -t dropbear|grep ".text"|cut -d "." -f 2|sort -rn
|
||||
@ -215,7 +220,7 @@ clean: ltc-clean ltm-clean thisclean
|
||||
|
||||
thisclean:
|
||||
-rm -f dropbear dbclient dropbearkey dropbearconvert scp scp-progress \
|
||||
dropbearmulti *.o *.da *.bb *.bbg *.prof
|
||||
dropbearmulti *.o *.da *.bb *.bbg *.prof
|
||||
|
||||
distclean: clean tidy
|
||||
-rm -f config.h
|
||||
@ -223,3 +228,11 @@ distclean: clean tidy
|
||||
|
||||
tidy:
|
||||
-rm -f *~ *.gcov */*~
|
||||
|
||||
# default_options.h is stored in version control, could not find a workaround
|
||||
# for parallel "make -j" and dependency rules.
|
||||
default_options.h: default_options.h.in
|
||||
echo "# > > > Generated from $^, edit that file instead !" > $@.tmp
|
||||
echo >> $@.tmp
|
||||
$(srcdir)/ifndef_wrapper.sh < $^ > $@.tmp
|
||||
mv $@.tmp $@
|
||||
|
@ -30,7 +30,7 @@
|
||||
#include "auth.h"
|
||||
#include "list.h"
|
||||
|
||||
#ifdef ENABLE_CLI_AGENTFWD
|
||||
#if DROPBEAR_CLI_AGENTFWD
|
||||
|
||||
/* An agent reply can be reasonably large, as it can
|
||||
* contain a list of all public keys held by the agent.
|
||||
@ -50,14 +50,14 @@ void cli_setup_agent(struct Channel *channel);
|
||||
|
||||
extern const struct ChanType cli_chan_agent;
|
||||
|
||||
#endif /* ENABLE_CLI_AGENTFWD */
|
||||
#endif /* DROPBEAR_CLI_AGENTFWD */
|
||||
|
||||
#ifdef ENABLE_SVR_AGENTFWD
|
||||
#if DROPBEAR_SVR_AGENTFWD
|
||||
|
||||
int svr_agentreq(struct ChanSess * chansess);
|
||||
void svr_agentcleanup(struct ChanSess * chansess);
|
||||
void svr_agentset(struct ChanSess *chansess);
|
||||
|
||||
#endif /* ENABLE_SVR_AGENTFWD */
|
||||
#endif /* DROPBEAR_SVR_AGENTFWD */
|
||||
|
||||
#endif /* DROPBEAR_AGENTFWD_H_ */
|
||||
|
10
algo.h
10
algo.h
@ -83,9 +83,15 @@ struct dropbear_hash {
|
||||
};
|
||||
|
||||
enum dropbear_kex_mode {
|
||||
#if DROPBEAR_NORMAL_DH
|
||||
DROPBEAR_KEX_NORMAL_DH,
|
||||
#endif
|
||||
#if DROPBEAR_ECDH
|
||||
DROPBEAR_KEX_ECDH,
|
||||
#endif
|
||||
#if DROPBEAR_CURVE25519
|
||||
DROPBEAR_KEX_CURVE25519,
|
||||
#endif
|
||||
};
|
||||
|
||||
struct dropbear_kex {
|
||||
@ -96,7 +102,7 @@ struct dropbear_kex {
|
||||
const int dh_p_len;
|
||||
|
||||
/* elliptic curve DH KEX */
|
||||
#ifdef DROPBEAR_ECDH
|
||||
#if DROPBEAR_ECDH
|
||||
const struct dropbear_ecc_curve *ecc_curve;
|
||||
#else
|
||||
const void* dummy;
|
||||
@ -122,7 +128,7 @@ enum kexguess2_used {
|
||||
algo_type * buf_match_algo(buffer* buf, algo_type localalgos[],
|
||||
enum kexguess2_used *kexguess2, int *goodguess);
|
||||
|
||||
#ifdef ENABLE_USER_ALGO_LIST
|
||||
#if DROPBEAR_USER_ALGO_LIST
|
||||
int check_user_algos(const char* user_algo_list, algo_type * algos,
|
||||
const char *algo_desc);
|
||||
char * algolist_string(algo_type algos[]);
|
||||
|
29
atomicio.c
29
atomicio.c
@ -1,6 +1,8 @@
|
||||
/* $OpenBSD: atomicio.c,v 1.17 2006/04/01 05:51:34 djm Exp $ */
|
||||
/*
|
||||
* Copied from OpenSSH 3.6.1p2.
|
||||
* Copied from OpenSSH/OpenBSD.
|
||||
*
|
||||
* Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
|
||||
* Copyright (c) 1995,1999 Theo de Raadt. All rights reserved.
|
||||
* All rights reserved.
|
||||
*
|
||||
@ -25,39 +27,32 @@
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
/* RCSID("OpenBSD: atomicio.c,v 1.10 2001/05/08 22:48:07 markus Exp "); */
|
||||
#include "includes.h"
|
||||
|
||||
#include "atomicio.h"
|
||||
|
||||
/*
|
||||
* ensure all of data on socket comes through. f==read || f==write
|
||||
* ensure all of data on socket comes through. f==read || f==vwrite
|
||||
*/
|
||||
ssize_t
|
||||
atomicio(f, fd, _s, n)
|
||||
ssize_t (*f) ();
|
||||
int fd;
|
||||
void *_s;
|
||||
size_t n;
|
||||
size_t
|
||||
atomicio(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n)
|
||||
{
|
||||
char *s = _s;
|
||||
ssize_t res;
|
||||
size_t pos = 0;
|
||||
ssize_t res;
|
||||
|
||||
while (n > pos) {
|
||||
res = (f) (fd, s + pos, n - pos);
|
||||
switch (res) {
|
||||
case -1:
|
||||
#ifdef EWOULDBLOCK
|
||||
if (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK)
|
||||
#else
|
||||
if (errno == EINTR || errno == EAGAIN)
|
||||
#endif
|
||||
continue;
|
||||
/* FALLTHROUGH */
|
||||
return 0;
|
||||
case 0:
|
||||
return (res);
|
||||
errno = EPIPE;
|
||||
return pos;
|
||||
default:
|
||||
pos += res;
|
||||
pos += (size_t)res;
|
||||
}
|
||||
}
|
||||
return (pos);
|
||||
|
13
atomicio.h
13
atomicio.h
@ -1,8 +1,7 @@
|
||||
/* $OpenBSD: atomicio.h,v 1.7 2006/03/25 22:22:42 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copied from OpenSSH 3.6.1p2, required for loginrec.c
|
||||
*
|
||||
* $OpenBSD: atomicio.h,v 1.4 2001/06/26 06:32:46 itojun Exp $
|
||||
* Copied from OpenSSH/OpenBSD, required for loginrec.c
|
||||
*
|
||||
* Copyright (c) 1995,1999 Theo de Raadt. All rights reserved.
|
||||
* All rights reserved.
|
||||
@ -28,9 +27,9 @@
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
/*
|
||||
* Ensure all of data on socket comes through. f==read || f==write
|
||||
* Ensure all of data on socket comes through. f==read || f==vwrite
|
||||
*/
|
||||
ssize_t atomicio(ssize_t (*)(), int, void *, size_t);
|
||||
size_t atomicio(ssize_t (*)(int, void *, size_t), int, void *, size_t);
|
||||
|
||||
#define vwrite (ssize_t (*)(int, void *, size_t))write
|
||||
|
6
auth.h
6
auth.h
@ -41,7 +41,7 @@ void svr_auth_password(void);
|
||||
void svr_auth_pubkey(void);
|
||||
void svr_auth_pam(void);
|
||||
|
||||
#ifdef ENABLE_SVR_PUBKEY_OPTIONS
|
||||
#if DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT
|
||||
int svr_pubkey_allows_agentfwd(void);
|
||||
int svr_pubkey_allows_tcpfwd(void);
|
||||
int svr_pubkey_allows_x11fwd(void);
|
||||
@ -119,12 +119,12 @@ struct AuthState {
|
||||
char *pw_shell;
|
||||
char *pw_name;
|
||||
char *pw_passwd;
|
||||
#ifdef ENABLE_SVR_PUBKEY_OPTIONS
|
||||
#if DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT
|
||||
struct PubKeyOptions* pubkey_options;
|
||||
#endif
|
||||
};
|
||||
|
||||
#ifdef ENABLE_SVR_PUBKEY_OPTIONS
|
||||
#if DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT
|
||||
struct PubKeyOptions;
|
||||
struct PubKeyOptions {
|
||||
/* Flags */
|
||||
|
@ -126,11 +126,11 @@ void recv_msg_channel_eof(void);
|
||||
void common_recv_msg_channel_data(struct Channel *channel, int fd,
|
||||
circbuffer * buf);
|
||||
|
||||
#ifdef DROPBEAR_CLIENT
|
||||
#if DROPBEAR_CLIENT
|
||||
extern const struct ChanType clichansess;
|
||||
#endif
|
||||
|
||||
#if defined(USING_LISTENERS) || defined(DROPBEAR_CLIENT)
|
||||
#if DROPBEAR_LISTENERS || DROPBEAR_CLIENT
|
||||
int send_msg_channel_open_init(int fd, const struct ChanType *type);
|
||||
void recv_msg_channel_open_confirmation(void);
|
||||
void recv_msg_channel_open_failure(void);
|
||||
|
@ -58,7 +58,7 @@ struct ChanSess {
|
||||
/* Used to set $SSH_CLIENT in the child session. */
|
||||
char *client_string;
|
||||
|
||||
#ifndef DISABLE_X11FWD
|
||||
#if DROPBEAR_X11FWD
|
||||
struct Listener * x11listener;
|
||||
int x11port;
|
||||
char * x11authprot;
|
||||
@ -67,13 +67,13 @@ struct ChanSess {
|
||||
unsigned char x11singleconn;
|
||||
#endif
|
||||
|
||||
#ifdef ENABLE_SVR_AGENTFWD
|
||||
#if DROPBEAR_SVR_AGENTFWD
|
||||
struct Listener * agentlistener;
|
||||
char * agentfile;
|
||||
char * agentdir;
|
||||
#endif
|
||||
|
||||
#ifdef ENABLE_SVR_PUBKEY_OPTIONS
|
||||
#if DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT
|
||||
char *original_command;
|
||||
#endif
|
||||
};
|
||||
@ -89,7 +89,7 @@ void addnewvar(const char* param, const char* var);
|
||||
void cli_send_chansess_request(void);
|
||||
void cli_tty_cleanup(void);
|
||||
void cli_chansess_winchange(void);
|
||||
#ifdef ENABLE_CLI_NETCAT
|
||||
#if DROPBEAR_CLI_NETCAT
|
||||
void cli_send_netcat_request(void);
|
||||
#endif
|
||||
|
||||
|
@ -24,7 +24,7 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#ifdef ENABLE_CLI_AGENTFWD
|
||||
#if DROPBEAR_CLI_AGENTFWD
|
||||
|
||||
#include "agentfwd.h"
|
||||
#include "session.h"
|
||||
@ -130,7 +130,7 @@ static buffer * agent_request(unsigned char type, buffer *data) {
|
||||
}
|
||||
buf_setpos(payload, 0);
|
||||
|
||||
ret = atomicio(write, fd, buf_getptr(payload, payload->len), payload->len);
|
||||
ret = atomicio(vwrite, fd, buf_getptr(payload, payload->len), payload->len);
|
||||
if ((size_t)ret != payload->len) {
|
||||
TRACE(("write failed fd %d for agent_request, %s", fd, strerror(errno)))
|
||||
goto out;
|
||||
|
60
cli-auth.c
60
cli-auth.c
@ -51,7 +51,7 @@ void cli_auth_getmethods() {
|
||||
|
||||
encrypt_packet();
|
||||
|
||||
#ifdef DROPBEAR_CLI_IMMEDIATE_AUTH
|
||||
#if DROPBEAR_CLI_IMMEDIATE_AUTH
|
||||
/* We can't haven't two auth requests in-flight with delayed zlib mode
|
||||
since if the first one succeeds then the remote side will
|
||||
expect the second one to be compressed.
|
||||
@ -78,6 +78,7 @@ void recv_msg_userauth_banner() {
|
||||
char* banner = NULL;
|
||||
unsigned int bannerlen;
|
||||
unsigned int i, linecount;
|
||||
int truncated = 0;
|
||||
|
||||
TRACE(("enter recv_msg_userauth_banner"))
|
||||
if (ses.authstate.authdone) {
|
||||
@ -90,26 +91,29 @@ void recv_msg_userauth_banner() {
|
||||
|
||||
if (bannerlen > MAX_BANNER_SIZE) {
|
||||
TRACE(("recv_msg_userauth_banner: bannerlen too long: %d", bannerlen))
|
||||
goto out;
|
||||
}
|
||||
truncated = 1;
|
||||
} else {
|
||||
cleantext(banner);
|
||||
|
||||
cleantext(banner);
|
||||
|
||||
/* Limit to 25 lines */
|
||||
linecount = 1;
|
||||
for (i = 0; i < bannerlen; i++) {
|
||||
if (banner[i] == '\n') {
|
||||
if (linecount >= MAX_BANNER_LINES) {
|
||||
banner[i] = '\0';
|
||||
break;
|
||||
/* Limit to 24 lines */
|
||||
linecount = 1;
|
||||
for (i = 0; i < bannerlen; i++) {
|
||||
if (banner[i] == '\n') {
|
||||
if (linecount >= MAX_BANNER_LINES) {
|
||||
banner[i] = '\0';
|
||||
truncated = 1;
|
||||
break;
|
||||
}
|
||||
linecount++;
|
||||
}
|
||||
linecount++;
|
||||
}
|
||||
fprintf(stderr, "%s\n", banner);
|
||||
}
|
||||
|
||||
fprintf(stderr, "%s\n", banner);
|
||||
if (truncated) {
|
||||
fprintf(stderr, "[Banner from the server is too long]\n");
|
||||
}
|
||||
|
||||
out:
|
||||
m_free(banner);
|
||||
TRACE(("leave recv_msg_userauth_banner"))
|
||||
}
|
||||
@ -121,21 +125,21 @@ out:
|
||||
* SSH_MSG_USERAUTH_INFO_REQUEST. */
|
||||
void recv_msg_userauth_specific_60() {
|
||||
|
||||
#ifdef ENABLE_CLI_PUBKEY_AUTH
|
||||
#if DROPBEAR_CLI_PUBKEY_AUTH
|
||||
if (cli_ses.lastauthtype == AUTH_TYPE_PUBKEY) {
|
||||
recv_msg_userauth_pk_ok();
|
||||
return;
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef ENABLE_CLI_INTERACT_AUTH
|
||||
#if DROPBEAR_CLI_INTERACT_AUTH
|
||||
if (cli_ses.lastauthtype == AUTH_TYPE_INTERACT) {
|
||||
recv_msg_userauth_info_request();
|
||||
return;
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef ENABLE_CLI_PASSWORD_AUTH
|
||||
#if DROPBEAR_CLI_PASSWORD_AUTH
|
||||
if (cli_ses.lastauthtype == AUTH_TYPE_PASSWORD) {
|
||||
/* Eventually there could be proper password-changing
|
||||
* support. However currently few servers seem to
|
||||
@ -179,7 +183,7 @@ void recv_msg_userauth_failure() {
|
||||
TRACE(("leave recv_msg_userauth_failure, ignored response, state set to USERAUTH_REQ_SENT"));
|
||||
return;
|
||||
} else {
|
||||
#ifdef ENABLE_CLI_PUBKEY_AUTH
|
||||
#if DROPBEAR_CLI_PUBKEY_AUTH
|
||||
/* If it was a pubkey auth request, we should cross that key
|
||||
* off the list. */
|
||||
if (cli_ses.lastauthtype == AUTH_TYPE_PUBKEY) {
|
||||
@ -187,7 +191,7 @@ void recv_msg_userauth_failure() {
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef ENABLE_CLI_INTERACT_AUTH
|
||||
#if DROPBEAR_CLI_INTERACT_AUTH
|
||||
/* If we get a failure message for keyboard interactive without
|
||||
* receiving any request info packet, then we don't bother trying
|
||||
* keyboard interactive again */
|
||||
@ -227,19 +231,19 @@ void recv_msg_userauth_failure() {
|
||||
for (i = 0; i <= methlen; i++) {
|
||||
if (methods[i] == '\0') {
|
||||
TRACE(("auth method '%s'", tok))
|
||||
#ifdef ENABLE_CLI_PUBKEY_AUTH
|
||||
#if DROPBEAR_CLI_PUBKEY_AUTH
|
||||
if (strncmp(AUTH_METHOD_PUBKEY, tok,
|
||||
AUTH_METHOD_PUBKEY_LEN) == 0) {
|
||||
ses.authstate.authtypes |= AUTH_TYPE_PUBKEY;
|
||||
}
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_INTERACT_AUTH
|
||||
#if DROPBEAR_CLI_INTERACT_AUTH
|
||||
if (strncmp(AUTH_METHOD_INTERACT, tok,
|
||||
AUTH_METHOD_INTERACT_LEN) == 0) {
|
||||
ses.authstate.authtypes |= AUTH_TYPE_INTERACT;
|
||||
}
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_PASSWORD_AUTH
|
||||
#if DROPBEAR_CLI_PASSWORD_AUTH
|
||||
if (strncmp(AUTH_METHOD_PASSWORD, tok,
|
||||
AUTH_METHOD_PASSWORD_LEN) == 0) {
|
||||
ses.authstate.authtypes |= AUTH_TYPE_PASSWORD;
|
||||
@ -267,7 +271,7 @@ void recv_msg_userauth_success() {
|
||||
cli_ses.state = USERAUTH_SUCCESS_RCVD;
|
||||
cli_ses.lastauthtype = AUTH_TYPE_NONE;
|
||||
|
||||
#ifdef ENABLE_CLI_PUBKEY_AUTH
|
||||
#if DROPBEAR_CLI_PUBKEY_AUTH
|
||||
cli_auth_pubkey_cleanup();
|
||||
#endif
|
||||
}
|
||||
@ -281,14 +285,14 @@ int cli_auth_try() {
|
||||
|
||||
/* Order to try is pubkey, interactive, password.
|
||||
* As soon as "finished" is set for one, we don't do any more. */
|
||||
#ifdef ENABLE_CLI_PUBKEY_AUTH
|
||||
#if DROPBEAR_CLI_PUBKEY_AUTH
|
||||
if (ses.authstate.authtypes & AUTH_TYPE_PUBKEY) {
|
||||
finished = cli_auth_pubkey();
|
||||
cli_ses.lastauthtype = AUTH_TYPE_PUBKEY;
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef ENABLE_CLI_PASSWORD_AUTH
|
||||
#if DROPBEAR_CLI_PASSWORD_AUTH
|
||||
if (!finished && (ses.authstate.authtypes & AUTH_TYPE_PASSWORD)) {
|
||||
if (ses.keys->trans.algo_crypt->cipherdesc == NULL) {
|
||||
fprintf(stderr, "Sorry, I won't let you use password auth unencrypted.\n");
|
||||
@ -300,7 +304,7 @@ int cli_auth_try() {
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef ENABLE_CLI_INTERACT_AUTH
|
||||
#if DROPBEAR_CLI_INTERACT_AUTH
|
||||
if (!finished && (ses.authstate.authtypes & AUTH_TYPE_INTERACT)) {
|
||||
if (ses.keys->trans.algo_crypt->cipherdesc == NULL) {
|
||||
fprintf(stderr, "Sorry, I won't let you use interactive auth unencrypted.\n");
|
||||
@ -324,7 +328,7 @@ int cli_auth_try() {
|
||||
return DROPBEAR_FAILURE;
|
||||
}
|
||||
|
||||
#if defined(ENABLE_CLI_PASSWORD_AUTH) || defined(ENABLE_CLI_INTERACT_AUTH)
|
||||
#if DROPBEAR_CLI_PASSWORD_AUTH || DROPBEAR_CLI_INTERACT_AUTH
|
||||
/* A helper for getpass() that exits if the user cancels. The returned
|
||||
* password is statically allocated by getpass() */
|
||||
char* getpass_or_cancel(char* prompt)
|
||||
|
@ -29,7 +29,7 @@
|
||||
#include "ssh.h"
|
||||
#include "runopts.h"
|
||||
|
||||
#ifdef ENABLE_CLI_INTERACT_AUTH
|
||||
#if DROPBEAR_CLI_INTERACT_AUTH
|
||||
|
||||
static char* get_response(char* prompt)
|
||||
{
|
||||
@ -172,4 +172,4 @@ void cli_auth_interactive() {
|
||||
TRACE(("leave cli_auth_interactive"))
|
||||
|
||||
}
|
||||
#endif /* ENABLE_CLI_INTERACT_AUTH */
|
||||
#endif /* DROPBEAR_CLI_INTERACT_AUTH */
|
||||
|
@ -29,9 +29,9 @@
|
||||
#include "ssh.h"
|
||||
#include "runopts.h"
|
||||
|
||||
#ifdef ENABLE_CLI_PASSWORD_AUTH
|
||||
#if DROPBEAR_CLI_PASSWORD_AUTH
|
||||
|
||||
#ifdef ENABLE_CLI_ASKPASS_HELPER
|
||||
#if DROPBEAR_CLI_ASKPASS_HELPER
|
||||
/* Returns 1 if we want to use the askpass program, 0 otherwise */
|
||||
static int want_askpass()
|
||||
{
|
||||
@ -113,7 +113,7 @@ static char *gui_getpass(const char *prompt) {
|
||||
TRACE(("leave gui_getpass"))
|
||||
return(buf);
|
||||
}
|
||||
#endif /* ENABLE_CLI_ASKPASS_HELPER */
|
||||
#endif /* DROPBEAR_CLI_ASKPASS_HELPER */
|
||||
|
||||
void cli_auth_password() {
|
||||
|
||||
@ -125,7 +125,7 @@ void cli_auth_password() {
|
||||
|
||||
snprintf(prompt, sizeof(prompt), "%s@%s's password: ",
|
||||
cli_opts.username, cli_opts.remotehost);
|
||||
#ifdef ENABLE_CLI_ASKPASS_HELPER
|
||||
#if DROPBEAR_CLI_ASKPASS_HELPER
|
||||
if (want_askpass())
|
||||
{
|
||||
password = gui_getpass(prompt);
|
||||
@ -158,4 +158,4 @@ void cli_auth_password() {
|
||||
|
||||
TRACE(("leave cli_auth_password"))
|
||||
}
|
||||
#endif /* ENABLE_CLI_PASSWORD_AUTH */
|
||||
#endif /* DROPBEAR_CLI_PASSWORD_AUTH */
|
||||
|
@ -32,7 +32,7 @@
|
||||
#include "auth.h"
|
||||
#include "agentfwd.h"
|
||||
|
||||
#ifdef ENABLE_CLI_PUBKEY_AUTH
|
||||
#if DROPBEAR_CLI_PUBKEY_AUTH
|
||||
static void send_msg_userauth_pubkey(sign_key *key, int type, int realsign);
|
||||
|
||||
/* Called when we receive a SSH_MSG_USERAUTH_FAILURE for a pubkey request.
|
||||
@ -122,7 +122,7 @@ void recv_msg_userauth_pk_ok() {
|
||||
|
||||
void cli_buf_put_sign(buffer* buf, sign_key *key, int type,
|
||||
buffer *data_buf) {
|
||||
#ifdef ENABLE_CLI_AGENTFWD
|
||||
#if DROPBEAR_CLI_AGENTFWD
|
||||
if (key->source == SIGNKEY_SOURCE_AGENT) {
|
||||
/* Format the agent signature ourselves, as buf_put_sign would. */
|
||||
buffer *sigblob;
|
||||
@ -131,7 +131,7 @@ void cli_buf_put_sign(buffer* buf, sign_key *key, int type,
|
||||
buf_putbufstring(buf, sigblob);
|
||||
buf_free(sigblob);
|
||||
} else
|
||||
#endif /* ENABLE_CLI_AGENTFWD */
|
||||
#endif /* DROPBEAR_CLI_AGENTFWD */
|
||||
{
|
||||
buf_put_sign(buf, key, type, data_buf);
|
||||
}
|
||||
@ -185,7 +185,7 @@ int cli_auth_pubkey() {
|
||||
|
||||
TRACE(("enter cli_auth_pubkey"))
|
||||
|
||||
#ifdef ENABLE_CLI_AGENTFWD
|
||||
#if DROPBEAR_CLI_AGENTFWD
|
||||
if (!cli_opts.agent_keys_loaded) {
|
||||
/* get the list of available keys from the agent */
|
||||
cli_load_agent_keys(cli_opts.privkeys);
|
||||
@ -209,7 +209,7 @@ int cli_auth_pubkey() {
|
||||
|
||||
void cli_auth_pubkey_cleanup() {
|
||||
|
||||
#ifdef ENABLE_CLI_AGENTFWD
|
||||
#if DROPBEAR_CLI_AGENTFWD
|
||||
m_close(cli_opts.agent_fd);
|
||||
cli_opts.agent_fd = -1;
|
||||
#endif
|
||||
|
@ -355,7 +355,7 @@ static int cli_initchansess(struct Channel *channel) {
|
||||
|
||||
cli_init_stdpipe_sess(channel);
|
||||
|
||||
#ifdef ENABLE_CLI_AGENTFWD
|
||||
#if DROPBEAR_CLI_AGENTFWD
|
||||
if (cli_opts.agent_fwd) {
|
||||
cli_setup_agent(channel);
|
||||
}
|
||||
@ -379,7 +379,7 @@ static int cli_initchansess(struct Channel *channel) {
|
||||
return 0; /* Success */
|
||||
}
|
||||
|
||||
#ifdef ENABLE_CLI_NETCAT
|
||||
#if DROPBEAR_CLI_NETCAT
|
||||
|
||||
static const struct ChanType cli_chan_netcat = {
|
||||
0, /* sepfds */
|
||||
|
24
cli-kex.c
24
cli-kex.c
@ -48,6 +48,7 @@ void send_msg_kexdh_init() {
|
||||
CHECKCLEARTOWRITE();
|
||||
buf_putbyte(ses.writepayload, SSH_MSG_KEXDH_INIT);
|
||||
switch (ses.newkeys->algo_kex->mode) {
|
||||
#if DROPBEAR_NORMAL_DH
|
||||
case DROPBEAR_KEX_NORMAL_DH:
|
||||
if (ses.newkeys->algo_kex != cli_ses.param_kex_algo
|
||||
|| !cli_ses.dh_param) {
|
||||
@ -58,8 +59,9 @@ void send_msg_kexdh_init() {
|
||||
}
|
||||
buf_putmpint(ses.writepayload, &cli_ses.dh_param->pub);
|
||||
break;
|
||||
#endif
|
||||
#if DROPBEAR_ECDH
|
||||
case DROPBEAR_KEX_ECDH:
|
||||
#ifdef DROPBEAR_ECDH
|
||||
if (ses.newkeys->algo_kex != cli_ses.param_kex_algo
|
||||
|| !cli_ses.ecdh_param) {
|
||||
if (cli_ses.ecdh_param) {
|
||||
@ -68,9 +70,9 @@ void send_msg_kexdh_init() {
|
||||
cli_ses.ecdh_param = gen_kexecdh_param();
|
||||
}
|
||||
buf_put_ecc_raw_pubkey_string(ses.writepayload, &cli_ses.ecdh_param->key);
|
||||
#endif
|
||||
break;
|
||||
#ifdef DROPBEAR_CURVE25519
|
||||
#endif
|
||||
#if DROPBEAR_CURVE25519
|
||||
case DROPBEAR_KEX_CURVE25519:
|
||||
if (ses.newkeys->algo_kex != cli_ses.param_kex_algo
|
||||
|| !cli_ses.curve25519_param) {
|
||||
@ -80,8 +82,8 @@ void send_msg_kexdh_init() {
|
||||
cli_ses.curve25519_param = gen_kexcurve25519_param();
|
||||
}
|
||||
buf_putstring(ses.writepayload, (const char*)cli_ses.curve25519_param->pub, CURVE25519_LEN);
|
||||
#endif
|
||||
break;
|
||||
#endif
|
||||
}
|
||||
|
||||
cli_ses.param_kex_algo = ses.newkeys->algo_kex;
|
||||
@ -118,6 +120,7 @@ void recv_msg_kexdh_reply() {
|
||||
}
|
||||
|
||||
switch (ses.newkeys->algo_kex->mode) {
|
||||
#if DROPBEAR_NORMAL_DH
|
||||
case DROPBEAR_KEX_NORMAL_DH:
|
||||
{
|
||||
DEF_MP_INT(dh_f);
|
||||
@ -131,37 +134,38 @@ void recv_msg_kexdh_reply() {
|
||||
mp_clear(&dh_f);
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
#if DROPBEAR_ECDH
|
||||
case DROPBEAR_KEX_ECDH:
|
||||
#ifdef DROPBEAR_ECDH
|
||||
{
|
||||
buffer *ecdh_qs = buf_getstringbuf(ses.payload);
|
||||
kexecdh_comb_key(cli_ses.ecdh_param, ecdh_qs, hostkey);
|
||||
buf_free(ecdh_qs);
|
||||
}
|
||||
#endif
|
||||
break;
|
||||
#ifdef DROPBEAR_CURVE25519
|
||||
#endif
|
||||
#if DROPBEAR_CURVE25519
|
||||
case DROPBEAR_KEX_CURVE25519:
|
||||
{
|
||||
buffer *ecdh_qs = buf_getstringbuf(ses.payload);
|
||||
kexcurve25519_comb_key(cli_ses.curve25519_param, ecdh_qs, hostkey);
|
||||
buf_free(ecdh_qs);
|
||||
}
|
||||
#endif
|
||||
break;
|
||||
#endif
|
||||
}
|
||||
|
||||
if (cli_ses.dh_param) {
|
||||
free_kexdh_param(cli_ses.dh_param);
|
||||
cli_ses.dh_param = NULL;
|
||||
}
|
||||
#ifdef DROPBEAR_ECDH
|
||||
#if DROPBEAR_ECDH
|
||||
if (cli_ses.ecdh_param) {
|
||||
free_kexecdh_param(cli_ses.ecdh_param);
|
||||
cli_ses.ecdh_param = NULL;
|
||||
}
|
||||
#endif
|
||||
#ifdef DROPBEAR_CURVE25519
|
||||
#if DROPBEAR_CURVE25519
|
||||
if (cli_ses.curve25519_param) {
|
||||
free_kexcurve25519_param(cli_ses.curve25519_param);
|
||||
cli_ses.curve25519_param = NULL;
|
||||
|
12
cli-main.c
12
cli-main.c
@ -35,13 +35,13 @@
|
||||
static void cli_dropbear_exit(int exitcode, const char* format, va_list param) ATTRIB_NORETURN;
|
||||
static void cli_dropbear_log(int priority, const char* format, va_list param);
|
||||
|
||||
#ifdef ENABLE_CLI_PROXYCMD
|
||||
#if DROPBEAR_CLI_PROXYCMD
|
||||
static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out);
|
||||
static void kill_proxy_sighandler(int signo);
|
||||
#endif
|
||||
|
||||
#if defined(DBMULTI_dbclient) || !defined(DROPBEAR_MULTI)
|
||||
#if defined(DBMULTI_dbclient) && defined(DROPBEAR_MULTI)
|
||||
#if defined(DBMULTI_dbclient) || !DROPBEAR_MULTI
|
||||
#if defined(DBMULTI_dbclient) && DROPBEAR_MULTI
|
||||
int cli_main(int argc, char ** argv) {
|
||||
#else
|
||||
int main(int argc, char ** argv) {
|
||||
@ -74,7 +74,7 @@ int main(int argc, char ** argv) {
|
||||
}
|
||||
|
||||
pid_t proxy_cmd_pid = 0;
|
||||
#ifdef ENABLE_CLI_PROXYCMD
|
||||
#if DROPBEAR_CLI_PROXYCMD
|
||||
if (cli_opts.proxycmd) {
|
||||
cli_proxy_cmd(&sock_in, &sock_out, &proxy_cmd_pid);
|
||||
m_free(cli_opts.proxycmd);
|
||||
@ -151,7 +151,7 @@ static void exec_proxy_cmd(void *user_data_cmd) {
|
||||
dropbear_exit("Failed to run '%s'\n", cmd);
|
||||
}
|
||||
|
||||
#ifdef ENABLE_CLI_PROXYCMD
|
||||
#if DROPBEAR_CLI_PROXYCMD
|
||||
static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) {
|
||||
char * ex_cmd = NULL;
|
||||
size_t ex_cmdlen;
|
||||
@ -176,4 +176,4 @@ static void kill_proxy_sighandler(int UNUSED(signo)) {
|
||||
kill_proxy_command();
|
||||
_exit(1);
|
||||
}
|
||||
#endif /* ENABLE_CLI_PROXYCMD */
|
||||
#endif /* DROPBEAR_CLI_PROXYCMD */
|
||||
|
110
cli-runopts.c
110
cli-runopts.c
@ -37,13 +37,13 @@ static void printhelp(void);
|
||||
static void parse_hostname(const char* orighostarg);
|
||||
static void parse_multihop_hostname(const char* orighostarg, const char* argv0);
|
||||
static void fill_own_user(void);
|
||||
#ifdef ENABLE_CLI_PUBKEY_AUTH
|
||||
#if DROPBEAR_CLI_PUBKEY_AUTH
|
||||
static void loadidentityfile(const char* filename, int warnfail);
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_ANYTCPFWD
|
||||
#if DROPBEAR_CLI_ANYTCPFWD
|
||||
static void addforward(const char* str, m_list *fwdlist);
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_NETCAT
|
||||
#if DROPBEAR_CLI_NETCAT
|
||||
static void add_netcat(const char *str);
|
||||
#endif
|
||||
static void add_extendedopt(const char *str);
|
||||
@ -51,7 +51,7 @@ static void add_extendedopt(const char *str);
|
||||
static void printhelp() {
|
||||
|
||||
fprintf(stderr, "Dropbear SSH client v%s https://matt.ucc.asn.au/dropbear/dropbear.html\n"
|
||||
#ifdef ENABLE_CLI_MULTIHOP
|
||||
#if DROPBEAR_CLI_MULTIHOP
|
||||
"Usage: %s [options] [user@]host[/port][,[user@]host/port],...] [command]\n"
|
||||
#else
|
||||
"Usage: %s [options] [user@]host[/port] [command]\n"
|
||||
@ -66,38 +66,38 @@ static void printhelp() {
|
||||
"-y -y Don't perform any remote host key checking (caution)\n"
|
||||
"-s Request a subsystem (use by external sftp)\n"
|
||||
"-o option Set option in OpenSSH-like format ('-o help' to list options)\n"
|
||||
#ifdef ENABLE_CLI_PUBKEY_AUTH
|
||||
#if DROPBEAR_CLI_PUBKEY_AUTH
|
||||
"-i <identityfile> (multiple allowed, default %s)\n"
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_AGENTFWD
|
||||
#if DROPBEAR_CLI_AGENTFWD
|
||||
"-A Enable agent auth forwarding\n"
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_LOCALTCPFWD
|
||||
#if DROPBEAR_CLI_LOCALTCPFWD
|
||||
"-L <[listenaddress:]listenport:remotehost:remoteport> Local port forwarding\n"
|
||||
"-g Allow remote hosts to connect to forwarded ports\n"
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_REMOTETCPFWD
|
||||
#if DROPBEAR_CLI_REMOTETCPFWD
|
||||
"-R <[listenaddress:]listenport:remotehost:remoteport> Remote port forwarding\n"
|
||||
#endif
|
||||
"-W <receive_window_buffer> (default %d, larger may be faster, max 1MB)\n"
|
||||
"-K <keepalive> (0 is never, default %d)\n"
|
||||
"-I <idle_timeout> (0 is never, default %d)\n"
|
||||
#ifdef ENABLE_CLI_NETCAT
|
||||
#if DROPBEAR_CLI_NETCAT
|
||||
"-B <endhost:endport> Netcat-alike forwarding\n"
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_PROXYCMD
|
||||
#if DROPBEAR_CLI_PROXYCMD
|
||||
"-J <proxy_program> Use program pipe rather than TCP connection\n"
|
||||
#endif
|
||||
#ifdef ENABLE_USER_ALGO_LIST
|
||||
#if DROPBEAR_USER_ALGO_LIST
|
||||
"-c <cipher list> Specify preferred ciphers ('-c help' to list options)\n"
|
||||
"-m <MAC list> Specify preferred MACs for packet verification (or '-m help')\n"
|
||||
#endif
|
||||
"-V Version\n"
|
||||
#ifdef DEBUG_TRACE
|
||||
#if DEBUG_TRACE
|
||||
"-v verbose (compiled with DEBUG_TRACE)\n"
|
||||
#endif
|
||||
,DROPBEAR_VERSION, cli_opts.progname,
|
||||
#ifdef ENABLE_CLI_PUBKEY_AUTH
|
||||
#if DROPBEAR_CLI_PUBKEY_AUTH
|
||||
DROPBEAR_DEFAULT_CLI_AUTHKEY,
|
||||
#endif
|
||||
DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE, DEFAULT_IDLE_TIMEOUT);
|
||||
@ -109,16 +109,16 @@ void cli_getopts(int argc, char ** argv) {
|
||||
char ** next = 0;
|
||||
enum {
|
||||
OPT_EXTENDED_OPTIONS,
|
||||
#ifdef ENABLE_CLI_PUBKEY_AUTH
|
||||
#if DROPBEAR_CLI_PUBKEY_AUTH
|
||||
OPT_AUTHKEY,
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_LOCALTCPFWD
|
||||
#if DROPBEAR_CLI_LOCALTCPFWD
|
||||
OPT_LOCALTCPFWD,
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_REMOTETCPFWD
|
||||
#if DROPBEAR_CLI_REMOTETCPFWD
|
||||
OPT_REMOTETCPFWD,
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_NETCAT
|
||||
#if DROPBEAR_CLI_NETCAT
|
||||
OPT_NETCAT,
|
||||
#endif
|
||||
/* a flag (no arg) if 'next' is NULL, a string-valued option otherwise */
|
||||
@ -145,31 +145,31 @@ void cli_getopts(int argc, char ** argv) {
|
||||
cli_opts.always_accept_key = 0;
|
||||
cli_opts.no_hostkey_check = 0;
|
||||
cli_opts.is_subsystem = 0;
|
||||
#ifdef ENABLE_CLI_PUBKEY_AUTH
|
||||
#if DROPBEAR_CLI_PUBKEY_AUTH
|
||||
cli_opts.privkeys = list_new();
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_ANYTCPFWD
|
||||
#if DROPBEAR_CLI_ANYTCPFWD
|
||||
cli_opts.exit_on_fwd_failure = 0;
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_LOCALTCPFWD
|
||||
#if DROPBEAR_CLI_LOCALTCPFWD
|
||||
cli_opts.localfwds = list_new();
|
||||
opts.listen_fwd_all = 0;
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_REMOTETCPFWD
|
||||
#if DROPBEAR_CLI_REMOTETCPFWD
|
||||
cli_opts.remotefwds = list_new();
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_AGENTFWD
|
||||
#if DROPBEAR_CLI_AGENTFWD
|
||||
cli_opts.agent_fwd = 0;
|
||||
cli_opts.agent_fd = -1;
|
||||
cli_opts.agent_keys_loaded = 0;
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_PROXYCMD
|
||||
#if DROPBEAR_CLI_PROXYCMD
|
||||
cli_opts.proxycmd = NULL;
|
||||
#endif
|
||||
#ifndef DISABLE_ZLIB
|
||||
opts.compress_mode = DROPBEAR_COMPRESS_ON;
|
||||
#endif
|
||||
#ifdef ENABLE_USER_ALGO_LIST
|
||||
#if DROPBEAR_USER_ALGO_LIST
|
||||
opts.cipher_list = NULL;
|
||||
opts.mac_list = NULL;
|
||||
#endif
|
||||
@ -213,7 +213,7 @@ void cli_getopts(int argc, char ** argv) {
|
||||
case 'p': /* remoteport */
|
||||
next = &cli_opts.remoteport;
|
||||
break;
|
||||
#ifdef ENABLE_CLI_PUBKEY_AUTH
|
||||
#if DROPBEAR_CLI_PUBKEY_AUTH
|
||||
case 'i': /* an identityfile */
|
||||
opt = OPT_AUTHKEY;
|
||||
break;
|
||||
@ -236,7 +236,7 @@ void cli_getopts(int argc, char ** argv) {
|
||||
case 'o':
|
||||
opt = OPT_EXTENDED_OPTIONS;
|
||||
break;
|
||||
#ifdef ENABLE_CLI_LOCALTCPFWD
|
||||
#if DROPBEAR_CLI_LOCALTCPFWD
|
||||
case 'L':
|
||||
opt = OPT_LOCALTCPFWD;
|
||||
break;
|
||||
@ -244,17 +244,17 @@ void cli_getopts(int argc, char ** argv) {
|
||||
opts.listen_fwd_all = 1;
|
||||
break;
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_REMOTETCPFWD
|
||||
#if DROPBEAR_CLI_REMOTETCPFWD
|
||||
case 'R':
|
||||
opt = OPT_REMOTETCPFWD;
|
||||
break;
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_NETCAT
|
||||
#if DROPBEAR_CLI_NETCAT
|
||||
case 'B':
|
||||
opt = OPT_NETCAT;
|
||||
break;
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_PROXYCMD
|
||||
#if DROPBEAR_CLI_PROXYCMD
|
||||
case 'J':
|
||||
next = &cli_opts.proxycmd;
|
||||
break;
|
||||
@ -278,12 +278,12 @@ void cli_getopts(int argc, char ** argv) {
|
||||
case 'I':
|
||||
next = &idle_timeout_arg;
|
||||
break;
|
||||
#ifdef ENABLE_CLI_AGENTFWD
|
||||
#if DROPBEAR_CLI_AGENTFWD
|
||||
case 'A':
|
||||
cli_opts.agent_fwd = 1;
|
||||
break;
|
||||
#endif
|
||||
#ifdef ENABLE_USER_ALGO_LIST
|
||||
#if DROPBEAR_USER_ALGO_LIST
|
||||
case 'c':
|
||||
next = &opts.cipher_list;
|
||||
break;
|
||||
@ -291,22 +291,22 @@ void cli_getopts(int argc, char ** argv) {
|
||||
next = &opts.mac_list;
|
||||
break;
|
||||
#endif
|
||||
#ifdef DEBUG_TRACE
|
||||
#if DEBUG_TRACE
|
||||
case 'v':
|
||||
debug_trace = 1;
|
||||
break;
|
||||
#endif
|
||||
case 'F':
|
||||
case 'e':
|
||||
#ifndef ENABLE_USER_ALGO_LIST
|
||||
#if !DROPBEAR_USER_ALGO_LIST
|
||||
case 'c':
|
||||
case 'm':
|
||||
#endif
|
||||
case 'D':
|
||||
#ifndef ENABLE_CLI_REMOTETCPFWD
|
||||
#ifndef DROPBEAR_CLI_REMOTETCPFWD
|
||||
case 'R':
|
||||
#endif
|
||||
#ifndef ENABLE_CLI_LOCALTCPFWD
|
||||
#ifndef DROPBEAR_CLI_LOCALTCPFWD
|
||||
case 'L':
|
||||
#endif
|
||||
case 'V':
|
||||
@ -338,28 +338,28 @@ void cli_getopts(int argc, char ** argv) {
|
||||
add_extendedopt(&argv[i][j]);
|
||||
}
|
||||
else
|
||||
#ifdef ENABLE_CLI_PUBKEY_AUTH
|
||||
#if DROPBEAR_CLI_PUBKEY_AUTH
|
||||
if (opt == OPT_AUTHKEY) {
|
||||
TRACE(("opt authkey"))
|
||||
loadidentityfile(&argv[i][j], 1);
|
||||
}
|
||||
else
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_REMOTETCPFWD
|
||||
#if DROPBEAR_CLI_REMOTETCPFWD
|
||||
if (opt == OPT_REMOTETCPFWD) {
|
||||
TRACE(("opt remotetcpfwd"))
|
||||
addforward(&argv[i][j], cli_opts.remotefwds);
|
||||
}
|
||||
else
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_LOCALTCPFWD
|
||||
#if DROPBEAR_CLI_LOCALTCPFWD
|
||||
if (opt == OPT_LOCALTCPFWD) {
|
||||
TRACE(("opt localtcpfwd"))
|
||||
addforward(&argv[i][j], cli_opts.localfwds);
|
||||
}
|
||||
else
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_NETCAT
|
||||
#if DROPBEAR_CLI_NETCAT
|
||||
if (opt == OPT_NETCAT) {
|
||||
TRACE(("opt netcat"))
|
||||
add_netcat(&argv[i][j]);
|
||||
@ -405,11 +405,11 @@ void cli_getopts(int argc, char ** argv) {
|
||||
|
||||
/* And now a few sanity checks and setup */
|
||||
|
||||
#ifdef ENABLE_USER_ALGO_LIST
|
||||
#if DROPBEAR_USER_ALGO_LIST
|
||||
parse_ciphers_macs();
|
||||
#endif
|
||||
|
||||
#ifdef ENABLE_CLI_PROXYCMD
|
||||
#if DROPBEAR_CLI_PROXYCMD
|
||||
if (cli_opts.proxycmd) {
|
||||
/* To match the common path of m_freeing it */
|
||||
cli_opts.proxycmd = m_strdup(cli_opts.proxycmd);
|
||||
@ -457,13 +457,13 @@ void cli_getopts(int argc, char ** argv) {
|
||||
opts.idle_timeout_secs = val;
|
||||
}
|
||||
|
||||
#ifdef ENABLE_CLI_NETCAT
|
||||
#if DROPBEAR_CLI_NETCAT
|
||||
if (cli_opts.cmd && cli_opts.netcat_host) {
|
||||
dropbear_log(LOG_INFO, "Ignoring command '%s' in netcat mode", cli_opts.cmd);
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(DROPBEAR_DEFAULT_CLI_AUTHKEY) && defined(ENABLE_CLI_PUBKEY_AUTH)
|
||||
#if (DROPBEAR_CLI_PUBKEY_AUTH)
|
||||
{
|
||||
char *expand_path = expand_homedir_path(DROPBEAR_DEFAULT_CLI_AUTHKEY);
|
||||
loadidentityfile(expand_path, 0);
|
||||
@ -474,14 +474,14 @@ void cli_getopts(int argc, char ** argv) {
|
||||
/* The hostname gets set up last, since
|
||||
* in multi-hop mode it will require knowledge
|
||||
* of other flags such as -i */
|
||||
#ifdef ENABLE_CLI_MULTIHOP
|
||||
#if DROPBEAR_CLI_MULTIHOP
|
||||
parse_multihop_hostname(host_arg, argv[0]);
|
||||
#else
|
||||
parse_hostname(host_arg);
|
||||
#endif
|
||||
}
|
||||
|
||||
#ifdef ENABLE_CLI_PUBKEY_AUTH
|
||||
#if DROPBEAR_CLI_PUBKEY_AUTH
|
||||
static void loadidentityfile(const char* filename, int warnfail) {
|
||||
sign_key *key;
|
||||
enum signkey_type keytype;
|
||||
@ -504,7 +504,7 @@ static void loadidentityfile(const char* filename, int warnfail) {
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef ENABLE_CLI_MULTIHOP
|
||||
#if DROPBEAR_CLI_MULTIHOP
|
||||
|
||||
static char*
|
||||
multihop_passthrough_args() {
|
||||
@ -514,13 +514,13 @@ multihop_passthrough_args() {
|
||||
m_list_elem *iter;
|
||||
/* Fill out -i, -y, -W options that make sense for all
|
||||
* the intermediate processes */
|
||||
#ifdef ENABLE_CLI_PUBKEY_AUTH
|
||||
#if DROPBEAR_CLI_PUBKEY_AUTH
|
||||
for (iter = cli_opts.privkeys->first; iter; iter = iter->next)
|
||||
{
|
||||
sign_key * key = (sign_key*)iter->item;
|
||||
len += 3 + strlen(key->filename);
|
||||
}
|
||||
#endif /* ENABLE_CLI_PUBKEY_AUTH */
|
||||
#endif /* DROPBEAR_CLI_PUBKEY_AUTH */
|
||||
|
||||
len += 30; /* space for -W <size>, terminator. */
|
||||
ret = m_malloc(len);
|
||||
@ -543,7 +543,7 @@ multihop_passthrough_args() {
|
||||
total += written;
|
||||
}
|
||||
|
||||
#ifdef ENABLE_CLI_PUBKEY_AUTH
|
||||
#if DROPBEAR_CLI_PUBKEY_AUTH
|
||||
for (iter = cli_opts.privkeys->first; iter; iter = iter->next)
|
||||
{
|
||||
sign_key * key = (sign_key*)iter->item;
|
||||
@ -552,7 +552,7 @@ multihop_passthrough_args() {
|
||||
dropbear_assert((unsigned int)written < size);
|
||||
total += written;
|
||||
}
|
||||
#endif /* ENABLE_CLI_PUBKEY_AUTH */
|
||||
#endif /* DROPBEAR_CLI_PUBKEY_AUTH */
|
||||
|
||||
/* if args were passed, total will be not zero, and it will have a space at the end, so remove that */
|
||||
if (total > 0)
|
||||
@ -636,7 +636,7 @@ static void parse_multihop_hostname(const char* orighostarg, const char* argv0)
|
||||
}
|
||||
m_free(hostbuf);
|
||||
}
|
||||
#endif /* !ENABLE_CLI_MULTIHOP */
|
||||
#endif /* !DROPBEAR_CLI_MULTIHOP */
|
||||
|
||||
/* Parses a [user@]hostname[/port] argument. */
|
||||
static void parse_hostname(const char* orighostarg) {
|
||||
@ -675,7 +675,7 @@ static void parse_hostname(const char* orighostarg) {
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef ENABLE_CLI_NETCAT
|
||||
#if DROPBEAR_CLI_NETCAT
|
||||
static void add_netcat(const char* origstr) {
|
||||
char *portstr = NULL;
|
||||
|
||||
@ -728,7 +728,7 @@ static void fill_own_user() {
|
||||
|
||||
}
|
||||
|
||||
#ifdef ENABLE_CLI_ANYTCPFWD
|
||||
#if DROPBEAR_CLI_ANYTCPFWD
|
||||
/* Turn a "[listenaddr:]listenport:remoteaddr:remoteport" string into into a forwarding
|
||||
* set, and add it to the forwarding list */
|
||||
static void addforward(const char* origstr, m_list *fwdlist) {
|
||||
@ -870,7 +870,7 @@ static void add_extendedopt(const char* origstr) {
|
||||
|
||||
if (strcmp(origstr, "help") == 0) {
|
||||
dropbear_log(LOG_INFO, "Available options:\n"
|
||||
#ifdef ENABLE_CLI_ANYTCPFWD
|
||||
#if DROPBEAR_CLI_ANYTCPFWD
|
||||
"\tExitOnForwardFailure\n"
|
||||
#endif
|
||||
#ifndef DISABLE_SYSLOG
|
||||
@ -880,7 +880,7 @@ static void add_extendedopt(const char* origstr) {
|
||||
exit(EXIT_SUCCESS);
|
||||
}
|
||||
|
||||
#ifdef ENABLE_CLI_ANYTCPFWD
|
||||
#if DROPBEAR_CLI_ANYTCPFWD
|
||||
if (match_extendedopt(&optstr, "ExitOnForwardFailure") == DROPBEAR_SUCCESS) {
|
||||
cli_opts.exit_on_fwd_failure = parse_flag_value(optstr);
|
||||
return;
|
||||
|
@ -73,7 +73,7 @@ static const packettype cli_packettypes[] = {
|
||||
{SSH_MSG_GLOBAL_REQUEST, recv_msg_global_request_cli},
|
||||
{SSH_MSG_CHANNEL_SUCCESS, ignore_recv_response},
|
||||
{SSH_MSG_CHANNEL_FAILURE, ignore_recv_response},
|
||||
#ifdef ENABLE_CLI_REMOTETCPFWD
|
||||
#if DROPBEAR_CLI_REMOTETCPFWD
|
||||
{SSH_MSG_REQUEST_SUCCESS, cli_recv_msg_request_success}, /* client */
|
||||
{SSH_MSG_REQUEST_FAILURE, cli_recv_msg_request_failure}, /* client */
|
||||
#else
|
||||
@ -85,10 +85,10 @@ static const packettype cli_packettypes[] = {
|
||||
};
|
||||
|
||||
static const struct ChanType *cli_chantypes[] = {
|
||||
#ifdef ENABLE_CLI_REMOTETCPFWD
|
||||
#if DROPBEAR_CLI_REMOTETCPFWD
|
||||
&cli_chan_tcpremote,
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_AGENTFWD
|
||||
#if DROPBEAR_CLI_AGENTFWD
|
||||
&cli_chan_agent,
|
||||
#endif
|
||||
NULL /* Null termination */
|
||||
@ -133,7 +133,7 @@ void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection
|
||||
|
||||
}
|
||||
|
||||
#ifdef USE_KEX_FIRST_FOLLOWS
|
||||
#if DROPBEAR_KEX_FIRST_FOLLOWS
|
||||
static void cli_send_kex_first_guess() {
|
||||
send_msg_kexdh_init();
|
||||
}
|
||||
@ -165,7 +165,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) {
|
||||
cli_ses.lastprivkey = NULL;
|
||||
cli_ses.lastauthtype = 0;
|
||||
|
||||
#ifdef DROPBEAR_NONE_CIPHER
|
||||
#if DROPBEAR_NONE_CIPHER
|
||||
cli_ses.cipher_none_after_auth = get_algo_usable(sshciphers, "none");
|
||||
set_algo_usable(sshciphers, "none", 0);
|
||||
#else
|
||||
@ -182,7 +182,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) {
|
||||
|
||||
ses.isserver = 0;
|
||||
|
||||
#ifdef USE_KEX_FIRST_FOLLOWS
|
||||
#if DROPBEAR_KEX_FIRST_FOLLOWS
|
||||
ses.send_kex_first_guess = cli_send_kex_first_guess;
|
||||
#endif
|
||||
|
||||
@ -275,7 +275,7 @@ static void cli_sessionloop() {
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef DROPBEAR_NONE_CIPHER
|
||||
#if DROPBEAR_NONE_CIPHER
|
||||
if (cli_ses.cipher_none_after_auth)
|
||||
{
|
||||
set_algo_usable(sshciphers, "none", 1);
|
||||
@ -299,7 +299,7 @@ static void cli_sessionloop() {
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef ENABLE_CLI_NETCAT
|
||||
#if DROPBEAR_CLI_NETCAT
|
||||
if (cli_opts.netcat_host) {
|
||||
cli_send_netcat_request();
|
||||
} else
|
||||
@ -308,10 +308,10 @@ static void cli_sessionloop() {
|
||||
cli_send_chansess_request();
|
||||
}
|
||||
|
||||
#ifdef ENABLE_CLI_LOCALTCPFWD
|
||||
#if DROPBEAR_CLI_LOCALTCPFWD
|
||||
setup_localtcp();
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_REMOTETCPFWD
|
||||
#if DROPBEAR_CLI_REMOTETCPFWD
|
||||
setup_remotetcp();
|
||||
#endif
|
||||
|
||||
|
18
cli-tcpfwd.c
18
cli-tcpfwd.c
@ -32,7 +32,7 @@
|
||||
#include "ssh.h"
|
||||
#include "netio.h"
|
||||
|
||||
#ifdef ENABLE_CLI_REMOTETCPFWD
|
||||
#if DROPBEAR_CLI_REMOTETCPFWD
|
||||
static int newtcpforwarded(struct Channel * channel);
|
||||
|
||||
const struct ChanType cli_chan_tcpremote = {
|
||||
@ -45,7 +45,7 @@ const struct ChanType cli_chan_tcpremote = {
|
||||
};
|
||||
#endif
|
||||
|
||||
#ifdef ENABLE_CLI_LOCALTCPFWD
|
||||
#if DROPBEAR_CLI_LOCALTCPFWD
|
||||
static int cli_localtcp(const char* listenaddr,
|
||||
unsigned int listenport,
|
||||
const char* remoteaddr,
|
||||
@ -60,7 +60,7 @@ static const struct ChanType cli_chan_tcplocal = {
|
||||
};
|
||||
#endif
|
||||
|
||||
#ifdef ENABLE_CLI_ANYTCPFWD
|
||||
#if DROPBEAR_CLI_ANYTCPFWD
|
||||
static void fwd_failed(const char* format, ...) ATTRIB_PRINTF(1,2);
|
||||
static void fwd_failed(const char* format, ...)
|
||||
{
|
||||
@ -77,7 +77,7 @@ static void fwd_failed(const char* format, ...)
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef ENABLE_CLI_LOCALTCPFWD
|
||||
#if DROPBEAR_CLI_LOCALTCPFWD
|
||||
void setup_localtcp() {
|
||||
m_list_elem *iter;
|
||||
int ret;
|
||||
@ -144,9 +144,9 @@ static int cli_localtcp(const char* listenaddr,
|
||||
TRACE(("leave cli_localtcp: %d", ret))
|
||||
return ret;
|
||||
}
|
||||
#endif /* ENABLE_CLI_LOCALTCPFWD */
|
||||
#endif /* DROPBEAR_CLI_LOCALTCPFWD */
|
||||
|
||||
#ifdef ENABLE_CLI_REMOTETCPFWD
|
||||
#if DROPBEAR_CLI_REMOTETCPFWD
|
||||
static void send_msg_global_request_remotetcp(const char *addr, int port) {
|
||||
|
||||
TRACE(("enter send_msg_global_request_remotetcp"))
|
||||
@ -234,7 +234,7 @@ static int newtcpforwarded(struct Channel * channel) {
|
||||
char *origaddr = NULL;
|
||||
unsigned int origport;
|
||||
m_list_elem * iter = NULL;
|
||||
struct TCPFwdEntry *fwd;
|
||||
struct TCPFwdEntry *fwd = NULL;
|
||||
char portstring[NI_MAXSERV];
|
||||
int err = SSH_OPEN_ADMINISTRATIVELY_PROHIBITED;
|
||||
|
||||
@ -265,7 +265,7 @@ static int newtcpforwarded(struct Channel * channel) {
|
||||
}
|
||||
|
||||
|
||||
if (iter == NULL) {
|
||||
if (iter == NULL || fwd == NULL) {
|
||||
/* We didn't request forwarding on that port */
|
||||
cleantext(origaddr);
|
||||
dropbear_log(LOG_INFO, "Server sent unrequested forward from \"%s:%d\"",
|
||||
@ -285,4 +285,4 @@ out:
|
||||
TRACE(("leave newtcpdirect: err %d", err))
|
||||
return err;
|
||||
}
|
||||
#endif /* ENABLE_CLI_REMOTETCPFWD */
|
||||
#endif /* DROPBEAR_CLI_REMOTETCPFWD */
|
||||
|
124
common-algo.c
124
common-algo.c
@ -53,27 +53,27 @@ static int void_start(int UNUSED(cipher), const unsigned char* UNUSED(IV),
|
||||
|
||||
/* Remember to add new ciphers/hashes to regciphers/reghashes too */
|
||||
|
||||
#ifdef DROPBEAR_AES256
|
||||
#if DROPBEAR_AES256
|
||||
static const struct dropbear_cipher dropbear_aes256 =
|
||||
{&aes_desc, 32, 16};
|
||||
#endif
|
||||
#ifdef DROPBEAR_AES128
|
||||
#if DROPBEAR_AES128
|
||||
static const struct dropbear_cipher dropbear_aes128 =
|
||||
{&aes_desc, 16, 16};
|
||||
#endif
|
||||
#ifdef DROPBEAR_BLOWFISH
|
||||
#if DROPBEAR_BLOWFISH
|
||||
static const struct dropbear_cipher dropbear_blowfish =
|
||||
{&blowfish_desc, 16, 8};
|
||||
#endif
|
||||
#ifdef DROPBEAR_TWOFISH256
|
||||
#if DROPBEAR_TWOFISH256
|
||||
static const struct dropbear_cipher dropbear_twofish256 =
|
||||
{&twofish_desc, 32, 16};
|
||||
#endif
|
||||
#ifdef DROPBEAR_TWOFISH128
|
||||
#if DROPBEAR_TWOFISH128
|
||||
static const struct dropbear_cipher dropbear_twofish128 =
|
||||
{&twofish_desc, 16, 16};
|
||||
#endif
|
||||
#ifdef DROPBEAR_3DES
|
||||
#if DROPBEAR_3DES
|
||||
static const struct dropbear_cipher dropbear_3des =
|
||||
{&des3_desc, 24, 8};
|
||||
#endif
|
||||
@ -84,7 +84,7 @@ const struct dropbear_cipher dropbear_nocipher =
|
||||
|
||||
/* A few void* s are required to silence warnings
|
||||
* about the symmetric_CBC vs symmetric_CTR cipher_state pointer */
|
||||
#ifdef DROPBEAR_ENABLE_CBC_MODE
|
||||
#if DROPBEAR_ENABLE_CBC_MODE
|
||||
const struct dropbear_cipher_mode dropbear_mode_cbc =
|
||||
{(void*)cbc_start, (void*)cbc_encrypt, (void*)cbc_decrypt};
|
||||
#endif /* DROPBEAR_ENABLE_CBC_MODE */
|
||||
@ -92,7 +92,7 @@ const struct dropbear_cipher_mode dropbear_mode_cbc =
|
||||
const struct dropbear_cipher_mode dropbear_mode_none =
|
||||
{void_start, void_cipher, void_cipher};
|
||||
|
||||
#ifdef DROPBEAR_ENABLE_CTR_MODE
|
||||
#if DROPBEAR_ENABLE_CTR_MODE
|
||||
/* a wrapper to make ctr_start and cbc_start look the same */
|
||||
static int dropbear_big_endian_ctr_start(int cipher,
|
||||
const unsigned char *IV,
|
||||
@ -107,23 +107,23 @@ const struct dropbear_cipher_mode dropbear_mode_ctr =
|
||||
/* Mapping of ssh hashes to libtomcrypt hashes, including keysize etc.
|
||||
{&hash_desc, keysize, hashsize} */
|
||||
|
||||
#ifdef DROPBEAR_SHA1_HMAC
|
||||
#if DROPBEAR_SHA1_HMAC
|
||||
static const struct dropbear_hash dropbear_sha1 =
|
||||
{&sha1_desc, 20, 20};
|
||||
#endif
|
||||
#ifdef DROPBEAR_SHA1_96_HMAC
|
||||
#if DROPBEAR_SHA1_96_HMAC
|
||||
static const struct dropbear_hash dropbear_sha1_96 =
|
||||
{&sha1_desc, 20, 12};
|
||||
#endif
|
||||
#ifdef DROPBEAR_SHA2_256_HMAC
|
||||
#if DROPBEAR_SHA2_256_HMAC
|
||||
static const struct dropbear_hash dropbear_sha2_256 =
|
||||
{&sha256_desc, 32, 32};
|
||||
#endif
|
||||
#ifdef DROPBEAR_SHA2_512_HMAC
|
||||
#if DROPBEAR_SHA2_512_HMAC
|
||||
static const struct dropbear_hash dropbear_sha2_512 =
|
||||
{&sha512_desc, 64, 64};
|
||||
#endif
|
||||
#ifdef DROPBEAR_MD5_HMAC
|
||||
#if DROPBEAR_MD5_HMAC
|
||||
static const struct dropbear_hash dropbear_md5 =
|
||||
{&md5_desc, 16, 16};
|
||||
#endif
|
||||
@ -137,72 +137,69 @@ const struct dropbear_hash dropbear_nohash =
|
||||
* that is also supported by the server will get used. */
|
||||
|
||||
algo_type sshciphers[] = {
|
||||
#ifdef DROPBEAR_ENABLE_CTR_MODE
|
||||
#ifdef DROPBEAR_AES128
|
||||
#if DROPBEAR_ENABLE_CTR_MODE
|
||||
#if DROPBEAR_AES128
|
||||
{"aes128-ctr", 0, &dropbear_aes128, 1, &dropbear_mode_ctr},
|
||||
#endif
|
||||
#ifdef DROPBEAR_AES256
|
||||
#if DROPBEAR_AES256
|
||||
{"aes256-ctr", 0, &dropbear_aes256, 1, &dropbear_mode_ctr},
|
||||
#endif
|
||||
#ifdef DROPBEAR_TWOFISH_CTR
|
||||
#if DROPBEAR_TWOFISH_CTR
|
||||
/* twofish ctr is conditional as it hasn't been tested for interoperability, see options.h */
|
||||
#ifdef DROPBEAR_TWOFISH256
|
||||
#if DROPBEAR_TWOFISH256
|
||||
{"twofish256-ctr", 0, &dropbear_twofish256, 1, &dropbear_mode_ctr},
|
||||
#endif
|
||||
#ifdef DROPBEAR_TWOFISH128
|
||||
#if DROPBEAR_TWOFISH128
|
||||
{"twofish128-ctr", 0, &dropbear_twofish128, 1, &dropbear_mode_ctr},
|
||||
#endif
|
||||
#endif /* DROPBEAR_TWOFISH_CTR */
|
||||
#endif /* DROPBEAR_ENABLE_CTR_MODE */
|
||||
|
||||
#ifdef DROPBEAR_ENABLE_CBC_MODE
|
||||
#ifdef DROPBEAR_AES128
|
||||
#if DROPBEAR_ENABLE_CBC_MODE
|
||||
#if DROPBEAR_AES128
|
||||
{"aes128-cbc", 0, &dropbear_aes128, 1, &dropbear_mode_cbc},
|
||||
#endif
|
||||
#ifdef DROPBEAR_AES256
|
||||
#if DROPBEAR_AES256
|
||||
{"aes256-cbc", 0, &dropbear_aes256, 1, &dropbear_mode_cbc},
|
||||
#endif
|
||||
#ifdef DROPBEAR_TWOFISH256
|
||||
#if DROPBEAR_TWOFISH256
|
||||
{"twofish256-cbc", 0, &dropbear_twofish256, 1, &dropbear_mode_cbc},
|
||||
{"twofish-cbc", 0, &dropbear_twofish256, 1, &dropbear_mode_cbc},
|
||||
#endif
|
||||
#ifdef DROPBEAR_TWOFISH128
|
||||
#if DROPBEAR_TWOFISH128
|
||||
{"twofish128-cbc", 0, &dropbear_twofish128, 1, &dropbear_mode_cbc},
|
||||
#endif
|
||||
#ifdef DROPBEAR_3DES
|
||||
#if DROPBEAR_3DES
|
||||
{"3des-ctr", 0, &dropbear_3des, 1, &dropbear_mode_ctr},
|
||||
#endif
|
||||
#ifdef DROPBEAR_3DES
|
||||
#if DROPBEAR_3DES
|
||||
{"3des-cbc", 0, &dropbear_3des, 1, &dropbear_mode_cbc},
|
||||
#endif
|
||||
#ifdef DROPBEAR_BLOWFISH
|
||||
#if DROPBEAR_BLOWFISH
|
||||
{"blowfish-cbc", 0, &dropbear_blowfish, 1, &dropbear_mode_cbc},
|
||||
#endif
|
||||
#endif /* DROPBEAR_ENABLE_CBC_MODE */
|
||||
#ifdef DROPBEAR_NONE_CIPHER
|
||||
#if DROPBEAR_NONE_CIPHER
|
||||
{"none", 0, (void*)&dropbear_nocipher, 1, &dropbear_mode_none},
|
||||
#endif
|
||||
{NULL, 0, NULL, 0, NULL}
|
||||
};
|
||||
|
||||
algo_type sshhashes[] = {
|
||||
#ifdef DROPBEAR_SHA1_96_HMAC
|
||||
#if DROPBEAR_SHA1_96_HMAC
|
||||
{"hmac-sha1-96", 0, &dropbear_sha1_96, 1, NULL},
|
||||
#endif
|
||||
#ifdef DROPBEAR_SHA1_HMAC
|
||||
#if DROPBEAR_SHA1_HMAC
|
||||
{"hmac-sha1", 0, &dropbear_sha1, 1, NULL},
|
||||
#endif
|
||||
#ifdef DROPBEAR_SHA2_256_HMAC
|
||||
#if DROPBEAR_SHA2_256_HMAC
|
||||
{"hmac-sha2-256", 0, &dropbear_sha2_256, 1, NULL},
|
||||
#endif
|
||||
#ifdef DROPBEAR_SHA2_512_HMAC
|
||||
#if DROPBEAR_SHA2_512_HMAC
|
||||
{"hmac-sha2-512", 0, &dropbear_sha2_512, 1, NULL},
|
||||
#endif
|
||||
#ifdef DROPBEAR_MD5_HMAC
|
||||
#if DROPBEAR_MD5_HMAC
|
||||
{"hmac-md5", 0, (void*)&dropbear_md5, 1, NULL},
|
||||
#endif
|
||||
#ifdef DROPBEAR_NONE_INTEGRITY
|
||||
{"none", 0, (void*)&dropbear_nohash, 1, NULL},
|
||||
#endif
|
||||
{NULL, 0, NULL, 0, NULL}
|
||||
};
|
||||
@ -228,21 +225,21 @@ algo_type ssh_nocompress[] = {
|
||||
};
|
||||
|
||||
algo_type sshhostkey[] = {
|
||||
#ifdef DROPBEAR_ECDSA
|
||||
#ifdef DROPBEAR_ECC_256
|
||||
#if DROPBEAR_ECDSA
|
||||
#if DROPBEAR_ECC_256
|
||||
{"ecdsa-sha2-nistp256", DROPBEAR_SIGNKEY_ECDSA_NISTP256, NULL, 1, NULL},
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECC_384
|
||||
#if DROPBEAR_ECC_384
|
||||
{"ecdsa-sha2-nistp384", DROPBEAR_SIGNKEY_ECDSA_NISTP384, NULL, 1, NULL},
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECC_521
|
||||
#if DROPBEAR_ECC_521
|
||||
{"ecdsa-sha2-nistp521", DROPBEAR_SIGNKEY_ECDSA_NISTP521, NULL, 1, NULL},
|
||||
#endif
|
||||
#endif
|
||||
#ifdef DROPBEAR_RSA
|
||||
#if DROPBEAR_RSA
|
||||
{"ssh-rsa", DROPBEAR_SIGNKEY_RSA, NULL, 1, NULL},
|
||||
#endif
|
||||
#ifdef DROPBEAR_DSS
|
||||
#if DROPBEAR_DSS
|
||||
{"ssh-dss", DROPBEAR_SIGNKEY_DSS, NULL, 1, NULL},
|
||||
#endif
|
||||
{NULL, 0, NULL, 0, NULL}
|
||||
@ -251,11 +248,11 @@ algo_type sshhostkey[] = {
|
||||
#if DROPBEAR_DH_GROUP1
|
||||
static const struct dropbear_kex kex_dh_group1 = {DROPBEAR_KEX_NORMAL_DH, dh_p_1, DH_P_1_LEN, NULL, &sha1_desc };
|
||||
#endif
|
||||
#if DROPBEAR_DH_GROUP14
|
||||
#if DROPBEAR_DH_GROUP14_SHA1
|
||||
static const struct dropbear_kex kex_dh_group14_sha1 = {DROPBEAR_KEX_NORMAL_DH, dh_p_14, DH_P_14_LEN, NULL, &sha1_desc };
|
||||
#if DROPBEAR_DH_GROUP14_256
|
||||
static const struct dropbear_kex kex_dh_group14_sha256 = {DROPBEAR_KEX_NORMAL_DH, dh_p_14, DH_P_14_LEN, NULL, &sha256_desc };
|
||||
#endif
|
||||
#if DROPBEAR_DH_GROUP14_SHA256
|
||||
static const struct dropbear_kex kex_dh_group14_sha256 = {DROPBEAR_KEX_NORMAL_DH, dh_p_14, DH_P_14_LEN, NULL, &sha256_desc };
|
||||
#endif
|
||||
#if DROPBEAR_DH_GROUP16
|
||||
static const struct dropbear_kex kex_dh_group16_sha512 = {DROPBEAR_KEX_NORMAL_DH, dh_p_16, DH_P_16_LEN, NULL, &sha512_desc };
|
||||
@ -263,51 +260,51 @@ static const struct dropbear_kex kex_dh_group16_sha512 = {DROPBEAR_KEX_NORMAL_DH
|
||||
|
||||
/* These can't be const since dropbear_ecc_fill_dp() fills out
|
||||
ecc_curve at runtime */
|
||||
#ifdef DROPBEAR_ECDH
|
||||
#ifdef DROPBEAR_ECC_256
|
||||
#if DROPBEAR_ECDH
|
||||
#if DROPBEAR_ECC_256
|
||||
static const struct dropbear_kex kex_ecdh_nistp256 = {DROPBEAR_KEX_ECDH, NULL, 0, &ecc_curve_nistp256, &sha256_desc };
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECC_384
|
||||
#if DROPBEAR_ECC_384
|
||||
static const struct dropbear_kex kex_ecdh_nistp384 = {DROPBEAR_KEX_ECDH, NULL, 0, &ecc_curve_nistp384, &sha384_desc };
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECC_521
|
||||
#if DROPBEAR_ECC_521
|
||||
static const struct dropbear_kex kex_ecdh_nistp521 = {DROPBEAR_KEX_ECDH, NULL, 0, &ecc_curve_nistp521, &sha512_desc };
|
||||
#endif
|
||||
#endif /* DROPBEAR_ECDH */
|
||||
|
||||
#ifdef DROPBEAR_CURVE25519
|
||||
#if DROPBEAR_CURVE25519
|
||||
/* Referred to directly */
|
||||
static const struct dropbear_kex kex_curve25519 = {DROPBEAR_KEX_CURVE25519, NULL, 0, NULL, &sha256_desc };
|
||||
#endif
|
||||
|
||||
algo_type sshkex[] = {
|
||||
#ifdef DROPBEAR_CURVE25519
|
||||
#if DROPBEAR_CURVE25519
|
||||
{"curve25519-sha256@libssh.org", 0, &kex_curve25519, 1, NULL},
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECDH
|
||||
#ifdef DROPBEAR_ECC_521
|
||||
#if DROPBEAR_ECDH
|
||||
#if DROPBEAR_ECC_521
|
||||
{"ecdh-sha2-nistp521", 0, &kex_ecdh_nistp521, 1, NULL},
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECC_384
|
||||
#if DROPBEAR_ECC_384
|
||||
{"ecdh-sha2-nistp384", 0, &kex_ecdh_nistp384, 1, NULL},
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECC_256
|
||||
#if DROPBEAR_ECC_256
|
||||
{"ecdh-sha2-nistp256", 0, &kex_ecdh_nistp256, 1, NULL},
|
||||
#endif
|
||||
#endif
|
||||
#if DROPBEAR_DH_GROUP14
|
||||
#if DROPBEAR_DH_GROUP14_256
|
||||
{"diffie-hellman-group14-sha256", 0, &kex_dh_group14_sha256, 1, NULL},
|
||||
#endif
|
||||
#if DROPBEAR_DH_GROUP14_SHA1
|
||||
{"diffie-hellman-group14-sha1", 0, &kex_dh_group14_sha1, 1, NULL},
|
||||
#endif
|
||||
#if DROPBEAR_DH_GROUP14_SHA256
|
||||
{"diffie-hellman-group14-sha256", 0, &kex_dh_group14_sha256, 1, NULL},
|
||||
#endif
|
||||
#if DROPBEAR_DH_GROUP1
|
||||
{"diffie-hellman-group1-sha1", 0, &kex_dh_group1, 1, NULL},
|
||||
#endif
|
||||
#if DROPBEAR_DH_GROUP16
|
||||
{"diffie-hellman-group16-sha512", 0, &kex_dh_group16_sha512, 1, NULL},
|
||||
#endif
|
||||
#ifdef USE_KEXGUESS2
|
||||
#if DROPBEAR_KEXGUESS2
|
||||
{KEXGUESS2_ALGO_NAME, KEXGUESS2_ALGO_ID, NULL, 1, NULL},
|
||||
#endif
|
||||
{NULL, 0, NULL, 0, NULL}
|
||||
@ -349,6 +346,7 @@ void buf_put_algolist(buffer * buf, algo_type localalgos[]) {
|
||||
}
|
||||
}
|
||||
buf_putstring(buf, (const char*)algolist->data, algolist->len);
|
||||
TRACE(("algolist add '%*s'", algolist->len, algolist->data))
|
||||
buf_free(algolist);
|
||||
}
|
||||
|
||||
@ -468,7 +466,7 @@ out:
|
||||
return ret;
|
||||
}
|
||||
|
||||
#ifdef DROPBEAR_NONE_CIPHER
|
||||
#if DROPBEAR_NONE_CIPHER
|
||||
|
||||
void
|
||||
set_algo_usable(algo_type algos[], const char * algo_name, int usable)
|
||||
@ -500,7 +498,7 @@ get_algo_usable(algo_type algos[], const char * algo_name)
|
||||
|
||||
#endif /* DROPBEAR_NONE_CIPHER */
|
||||
|
||||
#ifdef ENABLE_USER_ALGO_LIST
|
||||
#if DROPBEAR_USER_ALGO_LIST
|
||||
|
||||
char *
|
||||
algolist_string(algo_type algos[])
|
||||
@ -577,4 +575,4 @@ check_user_algos(const char* user_algo_list, algo_type * algos,
|
||||
memcpy(algos, new_algos, sizeof(*new_algos) * (n+1));
|
||||
return n;
|
||||
}
|
||||
#endif /* ENABLE_USER_ALGO_LIST */
|
||||
#endif /* DROPBEAR_USER_ALGO_LIST */
|
||||
|
@ -32,7 +32,6 @@
|
||||
#include "circbuffer.h"
|
||||
#include "dbutil.h"
|
||||
#include "channel.h"
|
||||
#include "ssh.h"
|
||||
#include "listener.h"
|
||||
#include "runopts.h"
|
||||
#include "netio.h"
|
||||
@ -78,7 +77,7 @@ void chaninitialise(const struct ChanType *chantypes[]) {
|
||||
|
||||
ses.chantypes = chantypes;
|
||||
|
||||
#ifdef USING_LISTENERS
|
||||
#if DROPBEAR_LISTENERS
|
||||
listeners_initialise();
|
||||
#endif
|
||||
|
||||
@ -255,7 +254,7 @@ void channelio(fd_set *readfds, fd_set *writefds) {
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef USING_LISTENERS
|
||||
#if DROPBEAR_LISTENERS
|
||||
handle_listeners(readfds);
|
||||
#endif
|
||||
}
|
||||
@ -595,7 +594,7 @@ void setchannelfds(fd_set *readfds, fd_set *writefds, int allow_reads) {
|
||||
|
||||
} /* foreach channel */
|
||||
|
||||
#ifdef USING_LISTENERS
|
||||
#if DROPBEAR_LISTENERS
|
||||
set_listener_fds(readfds);
|
||||
#endif
|
||||
|
||||
@ -1114,7 +1113,7 @@ static void close_chan_fd(struct Channel *channel, int fd, int how) {
|
||||
}
|
||||
|
||||
|
||||
#if defined(USING_LISTENERS) || defined(DROPBEAR_CLIENT)
|
||||
#if (DROPBEAR_LISTENERS) || (DROPBEAR_CLIENT)
|
||||
/* Create a new channel, and start the open request. This is intended
|
||||
* for X11, agent, tcp forwarding, and should be filled with channel-specific
|
||||
* options, with the calling function calling encrypt_packet() after
|
||||
@ -1210,7 +1209,7 @@ void recv_msg_channel_open_failure() {
|
||||
|
||||
remove_channel(channel);
|
||||
}
|
||||
#endif /* USING_LISTENERS */
|
||||
#endif /* DROPBEAR_LISTENERS */
|
||||
|
||||
void send_msg_request_success() {
|
||||
CHECKCLEARTOWRITE();
|
||||
|
@ -640,7 +640,7 @@ void kexdh_comb_key(struct kex_dh_param *param, mp_int *dh_pub_them,
|
||||
finish_kexhashbuf();
|
||||
}
|
||||
|
||||
#ifdef DROPBEAR_ECDH
|
||||
#if DROPBEAR_ECDH
|
||||
struct kex_ecdh_param *gen_kexecdh_param() {
|
||||
struct kex_ecdh_param *param = m_malloc(sizeof(*param));
|
||||
if (ecc_make_key_ex(NULL, dropbear_ltc_prng,
|
||||
@ -692,7 +692,7 @@ void kexecdh_comb_key(struct kex_ecdh_param *param, buffer *pub_them,
|
||||
}
|
||||
#endif /* DROPBEAR_ECDH */
|
||||
|
||||
#ifdef DROPBEAR_CURVE25519
|
||||
#if DROPBEAR_CURVE25519
|
||||
struct kex_curve25519_param *gen_kexcurve25519_param () {
|
||||
/* Per http://cr.yp.to/ecdh.html */
|
||||
struct kex_curve25519_param *param = m_malloc(sizeof(*param));
|
||||
@ -774,7 +774,7 @@ static void finish_kexhashbuf(void) {
|
||||
hash_desc->done(&hs, buf_getwriteptr(ses.hash, hash_desc->hashsize));
|
||||
buf_setlen(ses.hash, hash_desc->hashsize);
|
||||
|
||||
#if defined(DEBUG_KEXHASH) && defined(DEBUG_TRACE)
|
||||
#if (DEBUG_KEXHASH) && (DEBUG_TRACE)
|
||||
if (!debug_trace) {
|
||||
printhex("kexhashbuf", ses.kexhashbuf->data, ses.kexhashbuf->len);
|
||||
printhex("kexhash", ses.hash->data, ses.hash->len);
|
||||
@ -814,7 +814,7 @@ static void read_kex_algos() {
|
||||
int allgood = 1; /* we AND this with each goodguess and see if its still
|
||||
true after */
|
||||
|
||||
#ifdef USE_KEXGUESS2
|
||||
#if DROPBEAR_KEXGUESS2
|
||||
enum kexguess2_used kexguess2 = KEXGUESS2_LOOK;
|
||||
#else
|
||||
enum kexguess2_used kexguess2 = KEXGUESS2_NO;
|
||||
|
@ -62,7 +62,7 @@ out:
|
||||
return ret;
|
||||
}
|
||||
|
||||
#ifdef ENABLE_USER_ALGO_LIST
|
||||
#if DROPBEAR_USER_ALGO_LIST
|
||||
void
|
||||
parse_ciphers_macs()
|
||||
{
|
||||
|
@ -54,7 +54,7 @@ int exitflag = 0; /* GLOBAL */
|
||||
void common_session_init(int sock_in, int sock_out) {
|
||||
time_t now;
|
||||
|
||||
#ifdef DEBUG_TRACE
|
||||
#if DEBUG_TRACE
|
||||
debug_start_net();
|
||||
#endif
|
||||
|
||||
@ -295,7 +295,7 @@ void session_cleanup() {
|
||||
}
|
||||
|
||||
/* After these are freed most functions will fail */
|
||||
#ifdef DROPBEAR_CLEANUP
|
||||
#if DROPBEAR_CLEANUP
|
||||
/* listeners call cleanup functions, this should occur before
|
||||
other session state is freed. */
|
||||
remove_all_listeners();
|
||||
|
17
compat.c
17
compat.c
@ -114,8 +114,8 @@ size_t strlcpy(char *dst, const char *src, size_t size) {
|
||||
#endif /* HAVE_STRLCPY */
|
||||
|
||||
#ifndef HAVE_STRLCAT
|
||||
/* taken from openbsd-compat for OpenSSH 3.6.1p1 */
|
||||
/* "$OpenBSD: strlcat.c,v 1.8 2001/05/13 15:40:15 deraadt Exp $"
|
||||
/* taken from openbsd-compat for OpenSSH 7.2p2 */
|
||||
/* "$OpenBSD: strlcat.c,v 1.13 2005/08/08 08:05:37 espie Exp $"
|
||||
*
|
||||
* Appends src to string dst of size siz (unlike strncat, siz is the
|
||||
* full size of dst, not space left). At most siz-1 characters
|
||||
@ -123,15 +123,12 @@ size_t strlcpy(char *dst, const char *src, size_t size) {
|
||||
* Returns strlen(src) + MIN(siz, strlen(initial dst)).
|
||||
* If retval >= siz, truncation occurred.
|
||||
*/
|
||||
size_t
|
||||
strlcat(dst, src, siz)
|
||||
char *dst;
|
||||
const char *src;
|
||||
size_t siz;
|
||||
size_t
|
||||
strlcat(char *dst, const char *src, size_t siz)
|
||||
{
|
||||
register char *d = dst;
|
||||
register const char *s = src;
|
||||
register size_t n = siz;
|
||||
char *d = dst;
|
||||
const char *s = src;
|
||||
size_t n = siz;
|
||||
size_t dlen;
|
||||
|
||||
/* Find the end of dst and adjust bytes left but don't go past end */
|
||||
|
@ -4,7 +4,7 @@
|
||||
#include "ltc_prng.h"
|
||||
#include "ecc.h"
|
||||
|
||||
#ifdef DROPBEAR_LTC_PRNG
|
||||
#if DROPBEAR_LTC_PRNG
|
||||
int dropbear_ltc_prng = -1;
|
||||
#endif
|
||||
|
||||
@ -14,16 +14,16 @@
|
||||
void crypto_init() {
|
||||
|
||||
const struct ltc_cipher_descriptor *regciphers[] = {
|
||||
#ifdef DROPBEAR_AES
|
||||
#if DROPBEAR_AES
|
||||
&aes_desc,
|
||||
#endif
|
||||
#ifdef DROPBEAR_BLOWFISH
|
||||
#if DROPBEAR_BLOWFISH
|
||||
&blowfish_desc,
|
||||
#endif
|
||||
#ifdef DROPBEAR_TWOFISH
|
||||
#if DROPBEAR_TWOFISH
|
||||
&twofish_desc,
|
||||
#endif
|
||||
#ifdef DROPBEAR_3DES
|
||||
#if DROPBEAR_3DES
|
||||
&des3_desc,
|
||||
#endif
|
||||
NULL
|
||||
@ -32,16 +32,16 @@ void crypto_init() {
|
||||
const struct ltc_hash_descriptor *reghashes[] = {
|
||||
/* we need sha1 for hostkey stuff regardless */
|
||||
&sha1_desc,
|
||||
#ifdef DROPBEAR_MD5_HMAC
|
||||
#if DROPBEAR_MD5_HMAC
|
||||
&md5_desc,
|
||||
#endif
|
||||
#ifdef DROPBEAR_SHA256
|
||||
#if DROPBEAR_SHA256
|
||||
&sha256_desc,
|
||||
#endif
|
||||
#ifdef DROPBEAR_SHA384
|
||||
#if DROPBEAR_SHA384
|
||||
&sha384_desc,
|
||||
#endif
|
||||
#ifdef DROPBEAR_SHA512
|
||||
#if DROPBEAR_SHA512
|
||||
&sha512_desc,
|
||||
#endif
|
||||
NULL
|
||||
@ -60,14 +60,14 @@ void crypto_init() {
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef DROPBEAR_LTC_PRNG
|
||||
#if DROPBEAR_LTC_PRNG
|
||||
dropbear_ltc_prng = register_prng(&dropbear_prng_desc);
|
||||
if (dropbear_ltc_prng == -1) {
|
||||
dropbear_exit("Error registering crypto");
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef DROPBEAR_ECC
|
||||
#if DROPBEAR_ECC
|
||||
ltc_mp = ltm_desc;
|
||||
dropbear_ecc_fill_dp();
|
||||
#endif
|
||||
|
@ -59,7 +59,7 @@ process_file(hash_state *hs, const char *filename,
|
||||
unsigned int readcount;
|
||||
int ret = DROPBEAR_FAILURE;
|
||||
|
||||
#ifdef DROPBEAR_PRNGD_SOCKET
|
||||
#if DROPBEAR_PRNGD_SOCKET
|
||||
if (prngd)
|
||||
{
|
||||
readfd = connect_unix(filename);
|
||||
@ -107,7 +107,7 @@ process_file(hash_state *hs, const char *filename,
|
||||
wantread = MIN(sizeof(readbuf), len-readcount);
|
||||
}
|
||||
|
||||
#ifdef DROPBEAR_PRNGD_SOCKET
|
||||
#if DROPBEAR_PRNGD_SOCKET
|
||||
if (prngd)
|
||||
{
|
||||
char egdcmd[2];
|
||||
@ -185,7 +185,7 @@ void seedrandom() {
|
||||
/* existing state */
|
||||
sha1_process(&hs, (void*)hashpool, sizeof(hashpool));
|
||||
|
||||
#ifdef DROPBEAR_PRNGD_SOCKET
|
||||
#if DROPBEAR_PRNGD_SOCKET
|
||||
if (process_file(&hs, DROPBEAR_PRNGD_SOCKET, INIT_SEED_SIZE, 1)
|
||||
!= DROPBEAR_SUCCESS) {
|
||||
dropbear_exit("Failure reading random device %s",
|
||||
|
10
dbutil.c
10
dbutil.c
@ -79,7 +79,7 @@ void (*_dropbear_exit)(int exitcode, const char* format, va_list param) ATTRIB_N
|
||||
void (*_dropbear_log)(int priority, const char* format, va_list param)
|
||||
= generic_dropbear_log;
|
||||
|
||||
#ifdef DEBUG_TRACE
|
||||
#if DEBUG_TRACE
|
||||
int debug_trace = 0;
|
||||
#endif
|
||||
|
||||
@ -149,7 +149,7 @@ void dropbear_log(int priority, const char* format, ...) {
|
||||
}
|
||||
|
||||
|
||||
#ifdef DEBUG_TRACE
|
||||
#if DEBUG_TRACE
|
||||
|
||||
static double debug_start_time = -1;
|
||||
|
||||
@ -262,7 +262,7 @@ int spawn_command(void(*exec_fn)(void *user_data), void *exec_data,
|
||||
return DROPBEAR_FAILURE;
|
||||
}
|
||||
|
||||
#ifdef USE_VFORK
|
||||
#if DROPBEAR_VFORK
|
||||
pid = vfork();
|
||||
#else
|
||||
pid = fork();
|
||||
@ -371,7 +371,7 @@ void run_shell_command(const char* cmd, unsigned int maxfd, char* usershell) {
|
||||
execv(usershell, argv);
|
||||
}
|
||||
|
||||
#ifdef DEBUG_TRACE
|
||||
#if DEBUG_TRACE
|
||||
void printhex(const char * label, const unsigned char * buf, int len) {
|
||||
|
||||
int i;
|
||||
@ -465,7 +465,7 @@ out:
|
||||
* authkeys file.
|
||||
* Will return DROPBEAR_SUCCESS if data is read, or DROPBEAR_FAILURE on EOF.*/
|
||||
/* Only used for ~/.ssh/known_hosts and ~/.ssh/authorized_keys */
|
||||
#if defined(DROPBEAR_CLIENT) || defined(ENABLE_SVR_PUBKEY_AUTH)
|
||||
#if DROPBEAR_CLIENT || DROPBEAR_SVR_PUBKEY_AUTH
|
||||
int buf_getline(buffer * line, FILE * authfile) {
|
||||
|
||||
int c = EOF;
|
||||
|
2
dbutil.h
2
dbutil.h
@ -45,7 +45,7 @@ void dropbear_log(int priority, const char* format, ...) ATTRIB_PRINTF(2,3) ;
|
||||
|
||||
void fail_assert(const char* expr, const char* file, int line) ATTRIB_NORETURN;
|
||||
|
||||
#ifdef DEBUG_TRACE
|
||||
#if DEBUG_TRACE
|
||||
void dropbear_trace(const char* format, ...) ATTRIB_PRINTF(1,2);
|
||||
void dropbear_trace2(const char* format, ...) ATTRIB_PRINTF(1,2);
|
||||
void printhex(const char * label, const unsigned char * buf, int len);
|
||||
|
6
debug.h
6
debug.h
@ -39,7 +39,9 @@
|
||||
* Caution: Don't use this in an unfriendly environment (ie unfirewalled),
|
||||
* since the printing may not sanitise strings etc. This will add a reasonable
|
||||
* amount to your executable size. */
|
||||
/*#define DEBUG_TRACE*/
|
||||
#ifndef DEBUG_TRACE
|
||||
#define DEBUG_TRACE 0
|
||||
#endif
|
||||
|
||||
/* All functions writing to the cleartext payload buffer call
|
||||
* CHECKCLEARTOWRITE() before writing. This is only really useful if you're
|
||||
@ -61,7 +63,7 @@
|
||||
/*#define DEBUG_RSA*/
|
||||
|
||||
/* you don't need to touch this block */
|
||||
#ifdef DEBUG_TRACE
|
||||
#if DEBUG_TRACE
|
||||
#define TRACE(X) dropbear_trace X;
|
||||
#define TRACE2(X) dropbear_trace2 X;
|
||||
#else /*DEBUG_TRACE*/
|
||||
|
458
default_options.h
Normal file
458
default_options.h
Normal file
@ -0,0 +1,458 @@
|
||||
#ifndef DROPBEAR_DEFAULT_OPTIONS_H_
|
||||
#define DROPBEAR_DEFAULT_OPTIONS_H_
|
||||
/*
|
||||
> > > Read This < < <
|
||||
|
||||
default_options.h.in (this file) documents compile-time options, and provides
|
||||
default values.
|
||||
|
||||
Local customisation should be added to localoptions.h which is
|
||||
used if it exists. Options defined there will override any options in this
|
||||
file (#ifndef guards added by ifndef_wrapper.sh).
|
||||
|
||||
Options can also be defined with -DDROPBEAR_XXX Makefile CFLAGS
|
||||
|
||||
IMPORTANT: Many options will require "make clean" after changes */
|
||||
|
||||
#ifndef DROPBEAR_DEFPORT
|
||||
#define DROPBEAR_DEFPORT "22"
|
||||
#endif
|
||||
|
||||
/* Listen on all interfaces */
|
||||
#ifndef DROPBEAR_DEFADDRESS
|
||||
#define DROPBEAR_DEFADDRESS ""
|
||||
#endif
|
||||
|
||||
/* Default hostkey paths - these can be specified on the command line */
|
||||
#ifndef DSS_PRIV_FILENAME
|
||||
#define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key"
|
||||
#endif
|
||||
#ifndef RSA_PRIV_FILENAME
|
||||
#define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
|
||||
#endif
|
||||
#ifndef ECDSA_PRIV_FILENAME
|
||||
#define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key"
|
||||
#endif
|
||||
|
||||
/* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens
|
||||
* on chosen ports and keeps accepting connections. This is the default.
|
||||
*
|
||||
* Set INETD_MODE if you want to be able to run Dropbear with inetd (or
|
||||
* similar), where it will use stdin/stdout for connections, and each process
|
||||
* lasts for a single connection. Dropbear should be invoked with the -i flag
|
||||
* for inetd, and can only accept IPv4 connections.
|
||||
*
|
||||
* Both of these flags can be defined at once, don't compile without at least
|
||||
* one of them. */
|
||||
#ifndef NON_INETD_MODE
|
||||
#define NON_INETD_MODE 1
|
||||
#endif
|
||||
#ifndef INETD_MODE
|
||||
#define INETD_MODE 1
|
||||
#endif
|
||||
|
||||
/* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
|
||||
* perhaps 20% slower for pubkey operations (it is probably worth experimenting
|
||||
* if you want to use this) */
|
||||
/*#define NO_FAST_EXPTMOD*/
|
||||
|
||||
/* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save
|
||||
several kB in binary size however will make the symmetrical ciphers and hashes
|
||||
slower, perhaps by 50%. Recommended for small systems that aren't doing
|
||||
much traffic. */
|
||||
#ifndef DROPBEAR_SMALL_CODE
|
||||
#define DROPBEAR_SMALL_CODE 1
|
||||
#endif
|
||||
|
||||
/* Enable X11 Forwarding - server only */
|
||||
#ifndef DROPBEAR_X11FWD
|
||||
#define DROPBEAR_X11FWD 1
|
||||
#endif
|
||||
|
||||
/* Enable TCP Fowarding */
|
||||
/* 'Local' is "-L" style (client listening port forwarded via server)
|
||||
* 'Remote' is "-R" style (server listening port forwarded via client) */
|
||||
|
||||
#ifndef DROPBEAR_CLI_LOCALTCPFWD
|
||||
#define DROPBEAR_CLI_LOCALTCPFWD 1
|
||||
#endif
|
||||
#ifndef DROPBEAR_CLI_REMOTETCPFWD
|
||||
#define DROPBEAR_CLI_REMOTETCPFWD 1
|
||||
#endif
|
||||
|
||||
#ifndef DROPBEAR_SVR_LOCALTCPFWD
|
||||
#define DROPBEAR_SVR_LOCALTCPFWD 1
|
||||
#endif
|
||||
#ifndef DROPBEAR_SVR_REMOTETCPFWD
|
||||
#define DROPBEAR_SVR_REMOTETCPFWD 1
|
||||
#endif
|
||||
|
||||
/* Enable Authentication Agent Forwarding */
|
||||
#ifndef DROPBEAR_SVR_AGENTFWD
|
||||
#define DROPBEAR_SVR_AGENTFWD 1
|
||||
#endif
|
||||
#ifndef DROPBEAR_CLI_AGENTFWD
|
||||
#define DROPBEAR_CLI_AGENTFWD 1
|
||||
#endif
|
||||
|
||||
|
||||
/* Note: Both DROPBEAR_CLI_PROXYCMD and DROPBEAR_CLI_NETCAT must be set to
|
||||
* allow multihop dbclient connections */
|
||||
|
||||
/* Allow using -J <proxycommand> to run the connection through a
|
||||
pipe to a program, rather the normal TCP connection */
|
||||
#ifndef DROPBEAR_CLI_PROXYCMD
|
||||
#define DROPBEAR_CLI_PROXYCMD 1
|
||||
#endif
|
||||
|
||||
/* Enable "Netcat mode" option. This will forward standard input/output
|
||||
* to a remote TCP-forwarded connection */
|
||||
#ifndef DROPBEAR_CLI_NETCAT
|
||||
#define DROPBEAR_CLI_NETCAT 1
|
||||
#endif
|
||||
|
||||
/* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
|
||||
#ifndef ENABLE_USER_ALGO_LIST
|
||||
#define ENABLE_USER_ALGO_LIST 1
|
||||
#endif
|
||||
|
||||
/* Encryption - at least one required.
|
||||
* Protocol RFC requires 3DES and recommends AES128 for interoperability.
|
||||
* Including multiple keysize variants the same cipher
|
||||
* (eg AES256 as well as AES128) will result in a minimal size increase.*/
|
||||
#ifndef DROPBEAR_AES128
|
||||
#define DROPBEAR_AES128 1
|
||||
#endif
|
||||
#ifndef DROPBEAR_3DES
|
||||
#define DROPBEAR_3DES 1
|
||||
#endif
|
||||
#ifndef DROPBEAR_AES256
|
||||
#define DROPBEAR_AES256 1
|
||||
#endif
|
||||
/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
|
||||
/*#define DROPBEAR_BLOWFISH*/
|
||||
#ifndef DROPBEAR_TWOFISH256
|
||||
#define DROPBEAR_TWOFISH256 1
|
||||
#endif
|
||||
#ifndef DROPBEAR_TWOFISH128
|
||||
#define DROPBEAR_TWOFISH128 1
|
||||
#endif
|
||||
|
||||
/* Enable CBC mode for ciphers. This has security issues though
|
||||
* is the most compatible with older SSH implementations */
|
||||
#ifndef DROPBEAR_ENABLE_CBC_MODE
|
||||
#define DROPBEAR_ENABLE_CBC_MODE 1
|
||||
#endif
|
||||
|
||||
/* Enable "Counter Mode" for ciphers. This is more secure than normal
|
||||
* CBC mode against certain attacks. It is recommended for security
|
||||
* and forwards compatibility */
|
||||
#ifndef DROPBEAR_ENABLE_CTR_MODE
|
||||
#define DROPBEAR_ENABLE_CTR_MODE 1
|
||||
#endif
|
||||
|
||||
/* Twofish counter mode is disabled by default because it
|
||||
has not been tested for interoperability with other SSH implementations.
|
||||
If you test it please contact the Dropbear author */
|
||||
#ifndef DROPBEAR_TWOFISH_CTR
|
||||
#define DROPBEAR_TWOFISH_CTR 0
|
||||
#endif
|
||||
|
||||
/* Message integrity. sha2-256 is recommended as a default,
|
||||
sha1 for compatibility */
|
||||
#ifndef DROPBEAR_SHA1_HMAC
|
||||
#define DROPBEAR_SHA1_HMAC 1
|
||||
#endif
|
||||
#ifndef DROPBEAR_SHA1_96_HMAC
|
||||
#define DROPBEAR_SHA1_96_HMAC 1
|
||||
#endif
|
||||
#ifndef DROPBEAR_SHA2_256_HMAC
|
||||
#define DROPBEAR_SHA2_256_HMAC 1
|
||||
#endif
|
||||
/* Default is to include it is sha512 is being compiled in for ECDSA */
|
||||
#ifndef DROPBEAR_SHA2_512_HMAC
|
||||
#define DROPBEAR_SHA2_512_HMAC (DROPBEAR_ECDSA)
|
||||
#endif
|
||||
|
||||
/* XXX needed for fingerprints */
|
||||
#ifndef DROPBEAR_MD5_HMAC
|
||||
#define DROPBEAR_MD5_HMAC 0
|
||||
#endif
|
||||
|
||||
/* Hostkey/public key algorithms - at least one required, these are used
|
||||
* for hostkey as well as for verifying signatures with pubkey auth.
|
||||
* Removing either of these won't save very much space.
|
||||
* RSA is recommended
|
||||
* DSS may be necessary to connect to some systems though
|
||||
is not recommended for new keys */
|
||||
#ifndef DROPBEAR_RSA
|
||||
#define DROPBEAR_RSA 1
|
||||
#endif
|
||||
#ifndef DROPBEAR_DSS
|
||||
#define DROPBEAR_DSS 1
|
||||
#endif
|
||||
/* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
|
||||
* code (either ECDSA or ECDH) increases binary size - around 30kB
|
||||
* on x86-64 */
|
||||
#ifndef DROPBEAR_ECDSA
|
||||
#define DROPBEAR_ECDSA 1
|
||||
#endif
|
||||
|
||||
/* Add runtime flag "-R" to generate hostkeys as-needed when the first
|
||||
connection using that key type occurs.
|
||||
This avoids the need to otherwise run "dropbearkey" and avoids some problems
|
||||
with badly seeded /dev/urandom when systems first boot. */
|
||||
#ifndef DROPBEAR_DELAY_HOSTKEY
|
||||
#define DROPBEAR_DELAY_HOSTKEY 1
|
||||
#endif
|
||||
|
||||
/* Enable Curve25519 for key exchange. This is another elliptic
|
||||
* curve method with good security properties. Increases binary size
|
||||
* by ~8kB on x86-64 */
|
||||
#ifndef DROPBEAR_CURVE25519
|
||||
#define DROPBEAR_CURVE25519 1
|
||||
#endif
|
||||
|
||||
/* Enable elliptic curve Diffie Hellman key exchange, see note about
|
||||
* ECDSA above */
|
||||
#ifndef DROPBEAR_ECDH
|
||||
#define DROPBEAR_ECDH 1
|
||||
#endif
|
||||
|
||||
/* Key exchange algorithm.
|
||||
* group14_sha1 - 2048 bit, sha1
|
||||
* group14_sha256 - 2048 bit, sha2-256
|
||||
* group16 - 4096 bit, sha2-512
|
||||
* group1 - 1024 bit, sha1
|
||||
*
|
||||
* group14 is supported by most implementations.
|
||||
* group16 provides a greater strength level but is slower and increases binary size
|
||||
* group1 is too small for security though is necessary if you need
|
||||
compatibility with some implementations such as Dropbear versions < 0.53
|
||||
*/
|
||||
#ifndef DROPBEAR_DH_GROUP1
|
||||
#define DROPBEAR_DH_GROUP1 1
|
||||
#endif
|
||||
#ifndef DROPBEAR_DH_GROUP14_SHA1
|
||||
#define DROPBEAR_DH_GROUP14_SHA1 1
|
||||
#endif
|
||||
#ifndef DROPBEAR_DH_GROUP14_SHA256
|
||||
#define DROPBEAR_DH_GROUP14_SHA256 1
|
||||
#endif
|
||||
#ifndef DROPBEAR_DH_GROUP16
|
||||
#define DROPBEAR_DH_GROUP16 0
|
||||
#endif
|
||||
|
||||
/* Control the memory/performance/compression tradeoff for zlib.
|
||||
* Set windowBits=8 for least memory usage, see your system's
|
||||
* zlib.h for full details.
|
||||
* Default settings (windowBits=15) will use 256kB for compression
|
||||
* windowBits=8 will use 129kB for compression.
|
||||
* Both modes will use ~35kB for decompression (using windowBits=15 for
|
||||
* interoperability) */
|
||||
#ifndef DROPBEAR_ZLIB_WINDOW_BITS
|
||||
#define DROPBEAR_ZLIB_WINDOW_BITS 15
|
||||
#endif
|
||||
|
||||
/* Whether to do reverse DNS lookups. */
|
||||
#ifndef DO_HOST_LOOKUP
|
||||
#define DO_HOST_LOOKUP 0
|
||||
#endif
|
||||
|
||||
/* Whether to print the message of the day (MOTD). */
|
||||
#ifndef DO_MOTD
|
||||
#define DO_MOTD 0
|
||||
#endif
|
||||
|
||||
/* The MOTD file path */
|
||||
#ifndef MOTD_FILENAME
|
||||
#define MOTD_FILENAME "/etc/motd"
|
||||
#endif
|
||||
|
||||
/* Authentication Types - at least one required.
|
||||
RFC Draft requires pubkey auth, and recommends password */
|
||||
|
||||
/* Note: PAM auth is quite simple and only works for PAM modules which just do
|
||||
* a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
|
||||
* It's useful for systems like OS X where standard password crypts don't work
|
||||
* but there's an interface via a PAM module. It won't work for more complex
|
||||
* PAM challenge/response.
|
||||
* You can't enable both PASSWORD and PAM. */
|
||||
|
||||
/* This requires crypt() */
|
||||
#ifdef HAVE_CRYPT
|
||||
#ifndef DROPBEAR_SVR_PASSWORD_AUTH
|
||||
#define DROPBEAR_SVR_PASSWORD_AUTH 1
|
||||
#endif
|
||||
#else
|
||||
#ifndef DROPBEAR_SVR_PASSWORD_AUTH
|
||||
#define DROPBEAR_SVR_PASSWORD_AUTH 0
|
||||
#endif
|
||||
#endif
|
||||
/* PAM requires ./configure --enable-pam */
|
||||
#ifndef DROPBEAR_SVR_PAM_AUTH
|
||||
#define DROPBEAR_SVR_PAM_AUTH 0
|
||||
#endif
|
||||
#ifndef DROPBEAR_SVR_PUBKEY_AUTH
|
||||
#define DROPBEAR_SVR_PUBKEY_AUTH 1
|
||||
#endif
|
||||
|
||||
/* Whether to take public key options in
|
||||
* authorized_keys file into account */
|
||||
#ifndef DROPBEAR_SVR_PUBKEY_OPTIONS
|
||||
#define DROPBEAR_SVR_PUBKEY_OPTIONS 1
|
||||
#endif
|
||||
|
||||
/* This requires getpass. */
|
||||
#ifdef HAVE_GETPASS
|
||||
#ifndef DROPBEAR_CLI_PASSWORD_AUTH
|
||||
#define DROPBEAR_CLI_PASSWORD_AUTH 1
|
||||
#endif
|
||||
#ifndef DROPBEAR_CLI_INTERACT_AUTH
|
||||
#define DROPBEAR_CLI_INTERACT_AUTH 1
|
||||
#endif
|
||||
#endif
|
||||
#ifndef DROPBEAR_CLI_PUBKEY_AUTH
|
||||
#define DROPBEAR_CLI_PUBKEY_AUTH 1
|
||||
#endif
|
||||
|
||||
/* A default argument for dbclient -i <privatekey>.
|
||||
Homedir is prepended unless path begins with / */
|
||||
#ifndef DROPBEAR_DEFAULT_CLI_AUTHKEY
|
||||
#define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear"
|
||||
#endif
|
||||
|
||||
/* This variable can be used to set a password for client
|
||||
* authentication on the commandline. Beware of platforms
|
||||
* that don't protect environment variables of processes etc. Also
|
||||
* note that it will be provided for all "hidden" client-interactive
|
||||
* style prompts - if you want something more sophisticated, use
|
||||
* SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
|
||||
#ifndef DROPBEAR_PASSWORD_ENV
|
||||
#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"
|
||||
#endif
|
||||
|
||||
/* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of
|
||||
* a helper program for the ssh client. The helper program should be
|
||||
* specified in the SSH_ASKPASS environment variable, and dbclient
|
||||
* should be run with DISPLAY set and no tty. The program should
|
||||
* return the password on standard output */
|
||||
#ifndef DROPBEAR_CLI_ASKPASS_HELPER
|
||||
#define DROPBEAR_CLI_ASKPASS_HELPER 0
|
||||
#endif
|
||||
|
||||
/* Save a network roundtrip by sendng a real auth request immediately after
|
||||
* sending a query for the available methods. It is at the expense of < 100
|
||||
* bytes of extra network traffic. This is not yet enabled by default since it
|
||||
* could cause problems with non-compliant servers */
|
||||
#ifndef DROPBEAR_CLI_IMMEDIATE_AUTH
|
||||
#define DROPBEAR_CLI_IMMEDIATE_AUTH 0
|
||||
#endif
|
||||
|
||||
/* Source for randomness. This must be able to provide hundreds of bytes per SSH
|
||||
* connection without blocking. In addition /dev/random is used for seeding
|
||||
* rsa/dss key generation */
|
||||
#ifndef DROPBEAR_URANDOM_DEV
|
||||
#define DROPBEAR_URANDOM_DEV "/dev/urandom"
|
||||
#endif
|
||||
|
||||
/* Set this to use PRNGD or EGD instead of /dev/urandom or /dev/random */
|
||||
/*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/
|
||||
|
||||
|
||||
/* Specify the number of clients we will allow to be connected but
|
||||
* not yet authenticated. After this limit, connections are rejected */
|
||||
/* The first setting is per-IP, to avoid denial of service */
|
||||
#ifndef MAX_UNAUTH_PER_IP
|
||||
#define MAX_UNAUTH_PER_IP 5
|
||||
#endif
|
||||
|
||||
/* And then a global limit to avoid chewing memory if connections
|
||||
* come from many IPs */
|
||||
#ifndef MAX_UNAUTH_CLIENTS
|
||||
#define MAX_UNAUTH_CLIENTS 30
|
||||
#endif
|
||||
|
||||
/* Maximum number of failed authentication tries (server option) */
|
||||
#ifndef MAX_AUTH_TRIES
|
||||
#define MAX_AUTH_TRIES 10
|
||||
#endif
|
||||
|
||||
/* The default file to store the daemon's process ID, for shutdown
|
||||
scripts etc. This can be overridden with the -P flag */
|
||||
#ifndef DROPBEAR_PIDFILE
|
||||
#define DROPBEAR_PIDFILE "/var/run/dropbear.pid"
|
||||
#endif
|
||||
|
||||
/* The command to invoke for xauth when using X11 forwarding.
|
||||
* "-q" for quiet */
|
||||
#ifndef XAUTH_COMMAND
|
||||
#define XAUTH_COMMAND "/usr/bin/xauth -q"
|
||||
#endif
|
||||
|
||||
/* if you want to enable running an sftp server (such as the one included with
|
||||
* OpenSSH), set the path below. If the path isn't defined, sftp will not
|
||||
* be enabled */
|
||||
#ifndef SFTPSERVER_PATH
|
||||
#define SFTPSERVER_PATH "/usr/libexec/sftp-server"
|
||||
#endif
|
||||
|
||||
/* This is used by the scp binary when used as a client binary. If you're
|
||||
* not using the Dropbear client, you'll need to change it */
|
||||
#ifndef DROPBEAR_PATH_SSH_PROGRAM
|
||||
#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"
|
||||
#endif
|
||||
|
||||
/* Whether to log commands executed by a client. This only logs the
|
||||
* (single) command sent to the server, not what a user did in a
|
||||
* shell/sftp session etc. */
|
||||
#ifndef LOG_COMMANDS
|
||||
#define LOG_COMMANDS 0
|
||||
#endif
|
||||
|
||||
/* Window size limits. These tend to be a trade-off between memory
|
||||
usage and network performance: */
|
||||
/* Size of the network receive window. This amount of memory is allocated
|
||||
as a per-channel receive buffer. Increasing this value can make a
|
||||
significant difference to network performance. 24kB was empirically
|
||||
chosen for a 100mbit ethernet network. The value can be altered at
|
||||
runtime with the -W argument. */
|
||||
#ifndef DEFAULT_RECV_WINDOW
|
||||
#define DEFAULT_RECV_WINDOW 24576
|
||||
#endif
|
||||
/* Maximum size of a received SSH data packet - this _MUST_ be >= 32768
|
||||
in order to interoperate with other implementations */
|
||||
#ifndef RECV_MAX_PAYLOAD_LEN
|
||||
#define RECV_MAX_PAYLOAD_LEN 32768
|
||||
#endif
|
||||
/* Maximum size of a transmitted data packet - this can be any value,
|
||||
though increasing it may not make a significant difference. */
|
||||
#ifndef TRANS_MAX_PAYLOAD_LEN
|
||||
#define TRANS_MAX_PAYLOAD_LEN 16384
|
||||
#endif
|
||||
|
||||
/* Ensure that data is transmitted every KEEPALIVE seconds. This can
|
||||
be overridden at runtime with -K. 0 disables keepalives */
|
||||
#ifndef DEFAULT_KEEPALIVE
|
||||
#define DEFAULT_KEEPALIVE 0
|
||||
#endif
|
||||
|
||||
/* If this many KEEPALIVES are sent with no packets received from the
|
||||
other side, exit. Not run-time configurable - if you have a need
|
||||
for runtime configuration please mail the Dropbear list */
|
||||
#ifndef DEFAULT_KEEPALIVE_LIMIT
|
||||
#define DEFAULT_KEEPALIVE_LIMIT 3
|
||||
#endif
|
||||
|
||||
/* Ensure that data is received within IDLE_TIMEOUT seconds. This can
|
||||
be overridden at runtime with -I. 0 disables idle timeouts */
|
||||
#ifndef DEFAULT_IDLE_TIMEOUT
|
||||
#define DEFAULT_IDLE_TIMEOUT 0
|
||||
#endif
|
||||
|
||||
/* The default path. This will often get replaced by the shell */
|
||||
#ifndef DEFAULT_PATH
|
||||
#define DEFAULT_PATH "/usr/bin:/bin"
|
||||
#endif
|
||||
|
||||
#endif /* DROPBEAR_DEFAULT_OPTIONS_H_ */
|
312
default_options.h.in
Normal file
312
default_options.h.in
Normal file
@ -0,0 +1,312 @@
|
||||
#ifndef DROPBEAR_DEFAULT_OPTIONS_H_
|
||||
#define DROPBEAR_DEFAULT_OPTIONS_H_
|
||||
/*
|
||||
> > > Read This < < <
|
||||
|
||||
default_options.h.in (this file) documents compile-time options, and provides
|
||||
default values.
|
||||
|
||||
Local customisation should be added to localoptions.h which is
|
||||
used if it exists. Options defined there will override any options in this
|
||||
file (#ifndef guards added by ifndef_wrapper.sh).
|
||||
|
||||
Options can also be defined with -DDROPBEAR_XXX Makefile CFLAGS
|
||||
|
||||
IMPORTANT: Many options will require "make clean" after changes */
|
||||
|
||||
#define DROPBEAR_DEFPORT "22"
|
||||
|
||||
/* Listen on all interfaces */
|
||||
#define DROPBEAR_DEFADDRESS ""
|
||||
|
||||
/* Default hostkey paths - these can be specified on the command line */
|
||||
#define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key"
|
||||
#define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
|
||||
#define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key"
|
||||
|
||||
/* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens
|
||||
* on chosen ports and keeps accepting connections. This is the default.
|
||||
*
|
||||
* Set INETD_MODE if you want to be able to run Dropbear with inetd (or
|
||||
* similar), where it will use stdin/stdout for connections, and each process
|
||||
* lasts for a single connection. Dropbear should be invoked with the -i flag
|
||||
* for inetd, and can only accept IPv4 connections.
|
||||
*
|
||||
* Both of these flags can be defined at once, don't compile without at least
|
||||
* one of them. */
|
||||
#define NON_INETD_MODE 1
|
||||
#define INETD_MODE 1
|
||||
|
||||
/* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
|
||||
* perhaps 20% slower for pubkey operations (it is probably worth experimenting
|
||||
* if you want to use this) */
|
||||
/*#define NO_FAST_EXPTMOD*/
|
||||
|
||||
/* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save
|
||||
several kB in binary size however will make the symmetrical ciphers and hashes
|
||||
slower, perhaps by 50%. Recommended for small systems that aren't doing
|
||||
much traffic. */
|
||||
#define DROPBEAR_SMALL_CODE 1
|
||||
|
||||
/* Enable X11 Forwarding - server only */
|
||||
#define DROPBEAR_X11FWD 1
|
||||
|
||||
/* Enable TCP Fowarding */
|
||||
/* 'Local' is "-L" style (client listening port forwarded via server)
|
||||
* 'Remote' is "-R" style (server listening port forwarded via client) */
|
||||
|
||||
#define DROPBEAR_CLI_LOCALTCPFWD 1
|
||||
#define DROPBEAR_CLI_REMOTETCPFWD 1
|
||||
|
||||
#define DROPBEAR_SVR_LOCALTCPFWD 1
|
||||
#define DROPBEAR_SVR_REMOTETCPFWD 1
|
||||
|
||||
/* Enable Authentication Agent Forwarding */
|
||||
#define DROPBEAR_SVR_AGENTFWD 1
|
||||
#define DROPBEAR_CLI_AGENTFWD 1
|
||||
|
||||
|
||||
/* Note: Both DROPBEAR_CLI_PROXYCMD and DROPBEAR_CLI_NETCAT must be set to
|
||||
* allow multihop dbclient connections */
|
||||
|
||||
/* Allow using -J <proxycommand> to run the connection through a
|
||||
pipe to a program, rather the normal TCP connection */
|
||||
#define DROPBEAR_CLI_PROXYCMD 1
|
||||
|
||||
/* Enable "Netcat mode" option. This will forward standard input/output
|
||||
* to a remote TCP-forwarded connection */
|
||||
#define DROPBEAR_CLI_NETCAT 1
|
||||
|
||||
/* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
|
||||
#define ENABLE_USER_ALGO_LIST 1
|
||||
|
||||
/* Encryption - at least one required.
|
||||
* Protocol RFC requires 3DES and recommends AES128 for interoperability.
|
||||
* Including multiple keysize variants the same cipher
|
||||
* (eg AES256 as well as AES128) will result in a minimal size increase.*/
|
||||
#define DROPBEAR_AES128 1
|
||||
#define DROPBEAR_3DES 1
|
||||
#define DROPBEAR_AES256 1
|
||||
/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
|
||||
/*#define DROPBEAR_BLOWFISH*/
|
||||
#define DROPBEAR_TWOFISH256 1
|
||||
#define DROPBEAR_TWOFISH128 1
|
||||
|
||||
/* Enable CBC mode for ciphers. This has security issues though
|
||||
* is the most compatible with older SSH implementations */
|
||||
#define DROPBEAR_ENABLE_CBC_MODE 1
|
||||
|
||||
/* Enable "Counter Mode" for ciphers. This is more secure than normal
|
||||
* CBC mode against certain attacks. It is recommended for security
|
||||
* and forwards compatibility */
|
||||
#define DROPBEAR_ENABLE_CTR_MODE 1
|
||||
|
||||
/* Twofish counter mode is disabled by default because it
|
||||
has not been tested for interoperability with other SSH implementations.
|
||||
If you test it please contact the Dropbear author */
|
||||
#define DROPBEAR_TWOFISH_CTR 0
|
||||
|
||||
/* Message integrity. sha2-256 is recommended as a default,
|
||||
sha1 for compatibility */
|
||||
#define DROPBEAR_SHA1_HMAC 1
|
||||
#define DROPBEAR_SHA1_96_HMAC 1
|
||||
#define DROPBEAR_SHA2_256_HMAC 1
|
||||
/* Default is to include it is sha512 is being compiled in for ECDSA */
|
||||
#define DROPBEAR_SHA2_512_HMAC (DROPBEAR_ECDSA)
|
||||
|
||||
/* XXX needed for fingerprints */
|
||||
#define DROPBEAR_MD5_HMAC 0
|
||||
|
||||
/* Hostkey/public key algorithms - at least one required, these are used
|
||||
* for hostkey as well as for verifying signatures with pubkey auth.
|
||||
* Removing either of these won't save very much space.
|
||||
* RSA is recommended
|
||||
* DSS may be necessary to connect to some systems though
|
||||
is not recommended for new keys */
|
||||
#define DROPBEAR_RSA 1
|
||||
#define DROPBEAR_DSS 1
|
||||
/* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
|
||||
* code (either ECDSA or ECDH) increases binary size - around 30kB
|
||||
* on x86-64 */
|
||||
#define DROPBEAR_ECDSA 1
|
||||
|
||||
/* Add runtime flag "-R" to generate hostkeys as-needed when the first
|
||||
connection using that key type occurs.
|
||||
This avoids the need to otherwise run "dropbearkey" and avoids some problems
|
||||
with badly seeded /dev/urandom when systems first boot. */
|
||||
#define DROPBEAR_DELAY_HOSTKEY 1
|
||||
|
||||
/* Enable Curve25519 for key exchange. This is another elliptic
|
||||
* curve method with good security properties. Increases binary size
|
||||
* by ~8kB on x86-64 */
|
||||
#define DROPBEAR_CURVE25519 1
|
||||
|
||||
/* Enable elliptic curve Diffie Hellman key exchange, see note about
|
||||
* ECDSA above */
|
||||
#define DROPBEAR_ECDH 1
|
||||
|
||||
/* Key exchange algorithm.
|
||||
* group14_sha1 - 2048 bit, sha1
|
||||
* group14_sha256 - 2048 bit, sha2-256
|
||||
* group16 - 4096 bit, sha2-512
|
||||
* group1 - 1024 bit, sha1
|
||||
*
|
||||
* group14 is supported by most implementations.
|
||||
* group16 provides a greater strength level but is slower and increases binary size
|
||||
* group1 is too small for security though is necessary if you need
|
||||
compatibility with some implementations such as Dropbear versions < 0.53
|
||||
*/
|
||||
#define DROPBEAR_DH_GROUP1 1
|
||||
#define DROPBEAR_DH_GROUP14_SHA1 1
|
||||
#define DROPBEAR_DH_GROUP14_SHA256 1
|
||||
#define DROPBEAR_DH_GROUP16 0
|
||||
|
||||
/* Control the memory/performance/compression tradeoff for zlib.
|
||||
* Set windowBits=8 for least memory usage, see your system's
|
||||
* zlib.h for full details.
|
||||
* Default settings (windowBits=15) will use 256kB for compression
|
||||
* windowBits=8 will use 129kB for compression.
|
||||
* Both modes will use ~35kB for decompression (using windowBits=15 for
|
||||
* interoperability) */
|
||||
#define DROPBEAR_ZLIB_WINDOW_BITS 15
|
||||
|
||||
/* Whether to do reverse DNS lookups. */
|
||||
#define DO_HOST_LOOKUP 0
|
||||
|
||||
/* Whether to print the message of the day (MOTD). */
|
||||
#define DO_MOTD 0
|
||||
|
||||
/* The MOTD file path */
|
||||
#define MOTD_FILENAME "/etc/motd"
|
||||
|
||||
/* Authentication Types - at least one required.
|
||||
RFC Draft requires pubkey auth, and recommends password */
|
||||
|
||||
/* Note: PAM auth is quite simple and only works for PAM modules which just do
|
||||
* a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
|
||||
* It's useful for systems like OS X where standard password crypts don't work
|
||||
* but there's an interface via a PAM module. It won't work for more complex
|
||||
* PAM challenge/response.
|
||||
* You can't enable both PASSWORD and PAM. */
|
||||
|
||||
/* This requires crypt() */
|
||||
#ifdef HAVE_CRYPT
|
||||
#define DROPBEAR_SVR_PASSWORD_AUTH 1
|
||||
#else
|
||||
#define DROPBEAR_SVR_PASSWORD_AUTH 0
|
||||
#endif
|
||||
/* PAM requires ./configure --enable-pam */
|
||||
#define DROPBEAR_SVR_PAM_AUTH 0
|
||||
#define DROPBEAR_SVR_PUBKEY_AUTH 1
|
||||
|
||||
/* Whether to take public key options in
|
||||
* authorized_keys file into account */
|
||||
#define DROPBEAR_SVR_PUBKEY_OPTIONS 1
|
||||
|
||||
/* This requires getpass. */
|
||||
#ifdef HAVE_GETPASS
|
||||
#define DROPBEAR_CLI_PASSWORD_AUTH 1
|
||||
#define DROPBEAR_CLI_INTERACT_AUTH 1
|
||||
#endif
|
||||
#define DROPBEAR_CLI_PUBKEY_AUTH 1
|
||||
|
||||
/* A default argument for dbclient -i <privatekey>.
|
||||
Homedir is prepended unless path begins with / */
|
||||
#define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear"
|
||||
|
||||
/* This variable can be used to set a password for client
|
||||
* authentication on the commandline. Beware of platforms
|
||||
* that don't protect environment variables of processes etc. Also
|
||||
* note that it will be provided for all "hidden" client-interactive
|
||||
* style prompts - if you want something more sophisticated, use
|
||||
* SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
|
||||
#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"
|
||||
|
||||
/* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of
|
||||
* a helper program for the ssh client. The helper program should be
|
||||
* specified in the SSH_ASKPASS environment variable, and dbclient
|
||||
* should be run with DISPLAY set and no tty. The program should
|
||||
* return the password on standard output */
|
||||
#define DROPBEAR_CLI_ASKPASS_HELPER 0
|
||||
|
||||
/* Save a network roundtrip by sendng a real auth request immediately after
|
||||
* sending a query for the available methods. It is at the expense of < 100
|
||||
* bytes of extra network traffic. This is not yet enabled by default since it
|
||||
* could cause problems with non-compliant servers */
|
||||
#define DROPBEAR_CLI_IMMEDIATE_AUTH 0
|
||||
|
||||
/* Source for randomness. This must be able to provide hundreds of bytes per SSH
|
||||
* connection without blocking. In addition /dev/random is used for seeding
|
||||
* rsa/dss key generation */
|
||||
#define DROPBEAR_URANDOM_DEV "/dev/urandom"
|
||||
|
||||
/* Set this to use PRNGD or EGD instead of /dev/urandom or /dev/random */
|
||||
/*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/
|
||||
|
||||
|
||||
/* Specify the number of clients we will allow to be connected but
|
||||
* not yet authenticated. After this limit, connections are rejected */
|
||||
/* The first setting is per-IP, to avoid denial of service */
|
||||
#define MAX_UNAUTH_PER_IP 5
|
||||
|
||||
/* And then a global limit to avoid chewing memory if connections
|
||||
* come from many IPs */
|
||||
#define MAX_UNAUTH_CLIENTS 30
|
||||
|
||||
/* Maximum number of failed authentication tries (server option) */
|
||||
#define MAX_AUTH_TRIES 10
|
||||
|
||||
/* The default file to store the daemon's process ID, for shutdown
|
||||
scripts etc. This can be overridden with the -P flag */
|
||||
#define DROPBEAR_PIDFILE "/var/run/dropbear.pid"
|
||||
|
||||
/* The command to invoke for xauth when using X11 forwarding.
|
||||
* "-q" for quiet */
|
||||
#define XAUTH_COMMAND "/usr/bin/xauth -q"
|
||||
|
||||
/* if you want to enable running an sftp server (such as the one included with
|
||||
* OpenSSH), set the path below. If the path isn't defined, sftp will not
|
||||
* be enabled */
|
||||
#define SFTPSERVER_PATH "/usr/libexec/sftp-server"
|
||||
|
||||
/* This is used by the scp binary when used as a client binary. If you're
|
||||
* not using the Dropbear client, you'll need to change it */
|
||||
#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"
|
||||
|
||||
/* Whether to log commands executed by a client. This only logs the
|
||||
* (single) command sent to the server, not what a user did in a
|
||||
* shell/sftp session etc. */
|
||||
#define LOG_COMMANDS 0
|
||||
|
||||
/* Window size limits. These tend to be a trade-off between memory
|
||||
usage and network performance: */
|
||||
/* Size of the network receive window. This amount of memory is allocated
|
||||
as a per-channel receive buffer. Increasing this value can make a
|
||||
significant difference to network performance. 24kB was empirically
|
||||
chosen for a 100mbit ethernet network. The value can be altered at
|
||||
runtime with the -W argument. */
|
||||
#define DEFAULT_RECV_WINDOW 24576
|
||||
/* Maximum size of a received SSH data packet - this _MUST_ be >= 32768
|
||||
in order to interoperate with other implementations */
|
||||
#define RECV_MAX_PAYLOAD_LEN 32768
|
||||
/* Maximum size of a transmitted data packet - this can be any value,
|
||||
though increasing it may not make a significant difference. */
|
||||
#define TRANS_MAX_PAYLOAD_LEN 16384
|
||||
|
||||
/* Ensure that data is transmitted every KEEPALIVE seconds. This can
|
||||
be overridden at runtime with -K. 0 disables keepalives */
|
||||
#define DEFAULT_KEEPALIVE 0
|
||||
|
||||
/* If this many KEEPALIVES are sent with no packets received from the
|
||||
other side, exit. Not run-time configurable - if you have a need
|
||||
for runtime configuration please mail the Dropbear list */
|
||||
#define DEFAULT_KEEPALIVE_LIMIT 3
|
||||
|
||||
/* Ensure that data is received within IDLE_TIMEOUT seconds. This can
|
||||
be overridden at runtime with -I. 0 disables idle timeouts */
|
||||
#define DEFAULT_IDLE_TIMEOUT 0
|
||||
|
||||
/* The default path. This will often get replaced by the shell */
|
||||
#define DEFAULT_PATH "/usr/bin:/bin"
|
||||
|
||||
#endif /* DROPBEAR_DEFAULT_OPTIONS_H_ */
|
@ -91,6 +91,10 @@ if 0 disables keepalives. If no response is received for 3 consecutive keepalive
|
||||
.B \-I \fIidle_timeout
|
||||
Disconnect the session if no traffic is transmitted or received for \fIidle_timeout\fR seconds.
|
||||
.TP
|
||||
.B \-c \fIforced_command
|
||||
Disregard the command provided by the user and always run \fIforced_command\fR. This also
|
||||
overrides any authorized_keys command= option.
|
||||
.TP
|
||||
.B \-V
|
||||
Print the version
|
||||
|
||||
@ -129,6 +133,7 @@ same functionality with other means even if no-pty is set.
|
||||
.TP
|
||||
.B command=\fR"\fIforced_command\fR"
|
||||
Disregard the command provided by the user and always run \fIforced_command\fR.
|
||||
The -c command line option overrides this.
|
||||
|
||||
The authorized_keys file and its containing ~/.ssh directory must only be
|
||||
writable by the user, otherwise Dropbear will not allow a login using public
|
||||
|
@ -53,8 +53,8 @@ static void printhelp(char * progname) {
|
||||
progname);
|
||||
}
|
||||
|
||||
#if defined(DBMULTI_dropbearconvert) || !defined(DROPBEAR_MULTI)
|
||||
#if defined(DBMULTI_dropbearconvert) && defined(DROPBEAR_MULTI)
|
||||
#if defined(DBMULTI_dropbearconvert) || !DROPBEAR_MULTI
|
||||
#if defined(DBMULTI_dropbearconvert) && DROPBEAR_MULTI
|
||||
int dropbearconvert_main(int argc, char ** argv) {
|
||||
#else
|
||||
int main(int argc, char ** argv) {
|
||||
@ -67,7 +67,7 @@ int main(int argc, char ** argv) {
|
||||
crypto_init();
|
||||
seedrandom();
|
||||
|
||||
#ifdef DEBUG_TRACE
|
||||
#if DEBUG_TRACE
|
||||
/* It's hard for it to get in the way _too_ much */
|
||||
debug_trace = 1;
|
||||
#endif
|
||||
|
@ -67,36 +67,36 @@ static void printhelp(char * progname) {
|
||||
|
||||
fprintf(stderr, "Usage: %s -t <type> -f <filename> [-s bits]\n"
|
||||
"-t type Type of key to generate. One of:\n"
|
||||
#ifdef DROPBEAR_RSA
|
||||
#if DROPBEAR_RSA
|
||||
" rsa\n"
|
||||
#endif
|
||||
#ifdef DROPBEAR_DSS
|
||||
#if DROPBEAR_DSS
|
||||
" dss\n"
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECDSA
|
||||
#if DROPBEAR_ECDSA
|
||||
" ecdsa\n"
|
||||
#endif
|
||||
"-f filename Use filename for the secret key.\n"
|
||||
" ~/.ssh/id_dropbear is recommended for client keys.\n"
|
||||
"-s bits Key size in bits, should be a multiple of 8 (optional)\n"
|
||||
#ifdef DROPBEAR_DSS
|
||||
#if DROPBEAR_DSS
|
||||
" DSS has a fixed size of 1024 bits\n"
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECDSA
|
||||
#if DROPBEAR_ECDSA
|
||||
" ECDSA has sizes "
|
||||
#ifdef DROPBEAR_ECC_256
|
||||
#if DROPBEAR_ECC_256
|
||||
"256 "
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECC_384
|
||||
#if DROPBEAR_ECC_384
|
||||
"384 "
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECC_521
|
||||
#if DROPBEAR_ECC_521
|
||||
"521 "
|
||||
#endif
|
||||
"\n"
|
||||
#endif
|
||||
"-y Just print the publickey and fingerprint for the\n private key in <filename>.\n"
|
||||
#ifdef DEBUG_TRACE
|
||||
#if DEBUG_TRACE
|
||||
"-v verbose\n"
|
||||
#endif
|
||||
,progname);
|
||||
@ -106,7 +106,7 @@ static void printhelp(char * progname) {
|
||||
static void check_signkey_bits(enum signkey_type type, int bits)
|
||||
{
|
||||
switch (type) {
|
||||
#ifdef DROPBEAR_RSA
|
||||
#if DROPBEAR_RSA
|
||||
case DROPBEAR_SIGNKEY_RSA:
|
||||
if (bits < 512 || bits > 4096 || (bits % 8 != 0)) {
|
||||
dropbear_exit("Bits must satisfy 512 <= bits <= 4096, and be a"
|
||||
@ -126,8 +126,8 @@ static void check_signkey_bits(enum signkey_type type, int bits)
|
||||
}
|
||||
}
|
||||
|
||||
#if defined(DBMULTI_dropbearkey) || !defined(DROPBEAR_MULTI)
|
||||
#if defined(DBMULTI_dropbearkey) && defined(DROPBEAR_MULTI)
|
||||
#if defined(DBMULTI_dropbearkey) || !DROPBEAR_MULTI
|
||||
#if defined(DBMULTI_dropbearkey) && DROPBEAR_MULTI
|
||||
int dropbearkey_main(int argc, char ** argv) {
|
||||
#else
|
||||
int main(int argc, char ** argv) {
|
||||
@ -174,7 +174,7 @@ int main(int argc, char ** argv) {
|
||||
printhelp(argv[0]);
|
||||
exit(EXIT_SUCCESS);
|
||||
break;
|
||||
#ifdef DEBUG_TRACE
|
||||
#if DEBUG_TRACE
|
||||
case 'v':
|
||||
debug_trace = 1;
|
||||
break;
|
||||
@ -206,19 +206,19 @@ int main(int argc, char ** argv) {
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
#ifdef DROPBEAR_RSA
|
||||
#if DROPBEAR_RSA
|
||||
if (strcmp(typetext, "rsa") == 0)
|
||||
{
|
||||
keytype = DROPBEAR_SIGNKEY_RSA;
|
||||
}
|
||||
#endif
|
||||
#ifdef DROPBEAR_DSS
|
||||
#if DROPBEAR_DSS
|
||||
if (strcmp(typetext, "dss") == 0)
|
||||
{
|
||||
keytype = DROPBEAR_SIGNKEY_DSS;
|
||||
}
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECDSA
|
||||
#if DROPBEAR_ECDSA
|
||||
if (strcmp(typetext, "ecdsa") == 0)
|
||||
{
|
||||
keytype = DROPBEAR_SIGNKEY_ECDSA_KEYGEN;
|
||||
|
4
dss.c
4
dss.c
@ -37,7 +37,7 @@
|
||||
* See FIPS186 or the Handbook of Applied Cryptography for details of the
|
||||
* algorithm */
|
||||
|
||||
#ifdef DROPBEAR_DSS
|
||||
#if DROPBEAR_DSS
|
||||
|
||||
/* Load a dss key from a buffer, initialising the values.
|
||||
* The key will have the same format as buf_put_dss_key.
|
||||
@ -153,7 +153,7 @@ void buf_put_dss_priv_key(buffer* buf, dropbear_dss_key *key) {
|
||||
|
||||
}
|
||||
|
||||
#ifdef DROPBEAR_SIGNKEY_VERIFY
|
||||
#if DROPBEAR_SIGNKEY_VERIFY
|
||||
/* Verify a DSS signature (in buf) made on data by the key given.
|
||||
* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
|
||||
int buf_dss_verify(buffer* buf, dropbear_dss_key *key, buffer *data_buf) {
|
||||
|
4
dss.h
4
dss.h
@ -28,7 +28,7 @@
|
||||
#include "includes.h"
|
||||
#include "buffer.h"
|
||||
|
||||
#ifdef DROPBEAR_DSS
|
||||
#if DROPBEAR_DSS
|
||||
|
||||
typedef struct {
|
||||
|
||||
@ -42,7 +42,7 @@ typedef struct {
|
||||
} dropbear_dss_key;
|
||||
|
||||
void buf_put_dss_sign(buffer* buf, dropbear_dss_key *key, buffer *data_buf);
|
||||
#ifdef DROPBEAR_SIGNKEY_VERIFY
|
||||
#if DROPBEAR_SIGNKEY_VERIFY
|
||||
int buf_dss_verify(buffer* buf, dropbear_dss_key *key, buffer *data_buf);
|
||||
#endif
|
||||
int buf_get_dss_pub_key(buffer* buf, dropbear_dss_key *key);
|
||||
|
14
ecc.c
14
ecc.c
@ -4,10 +4,10 @@
|
||||
#include "dbutil.h"
|
||||
#include "bignum.h"
|
||||
|
||||
#ifdef DROPBEAR_ECC
|
||||
#if DROPBEAR_ECC
|
||||
|
||||
/* .dp members are filled out by dropbear_ecc_fill_dp() at startup */
|
||||
#ifdef DROPBEAR_ECC_256
|
||||
#if DROPBEAR_ECC_256
|
||||
struct dropbear_ecc_curve ecc_curve_nistp256 = {
|
||||
32, /* .ltc_size */
|
||||
NULL, /* .dp */
|
||||
@ -15,7 +15,7 @@ struct dropbear_ecc_curve ecc_curve_nistp256 = {
|
||||
"nistp256" /* .name */
|
||||
};
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECC_384
|
||||
#if DROPBEAR_ECC_384
|
||||
struct dropbear_ecc_curve ecc_curve_nistp384 = {
|
||||
48, /* .ltc_size */
|
||||
NULL, /* .dp */
|
||||
@ -23,7 +23,7 @@ struct dropbear_ecc_curve ecc_curve_nistp384 = {
|
||||
"nistp384" /* .name */
|
||||
};
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECC_521
|
||||
#if DROPBEAR_ECC_521
|
||||
struct dropbear_ecc_curve ecc_curve_nistp521 = {
|
||||
66, /* .ltc_size */
|
||||
NULL, /* .dp */
|
||||
@ -33,13 +33,13 @@ struct dropbear_ecc_curve ecc_curve_nistp521 = {
|
||||
#endif
|
||||
|
||||
struct dropbear_ecc_curve *dropbear_ecc_curves[] = {
|
||||
#ifdef DROPBEAR_ECC_256
|
||||
#if DROPBEAR_ECC_256
|
||||
&ecc_curve_nistp256,
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECC_384
|
||||
#if DROPBEAR_ECC_384
|
||||
&ecc_curve_nistp384,
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECC_521
|
||||
#if DROPBEAR_ECC_521
|
||||
&ecc_curve_nistp521,
|
||||
#endif
|
||||
NULL
|
||||
|
2
ecc.h
2
ecc.h
@ -6,7 +6,7 @@
|
||||
|
||||
#include "buffer.h"
|
||||
|
||||
#ifdef DROPBEAR_ECC
|
||||
#if DROPBEAR_ECC
|
||||
|
||||
struct dropbear_ecc_curve {
|
||||
int ltc_size; /* to match the byte sizes in ltc_ecc_sets[] */
|
||||
|
20
ecdsa.c
20
ecdsa.c
@ -6,7 +6,7 @@
|
||||
#include "ecdsa.h"
|
||||
#include "signkey.h"
|
||||
|
||||
#ifdef DROPBEAR_ECDSA
|
||||
#if DROPBEAR_ECDSA
|
||||
|
||||
int signkey_is_ecdsa(enum signkey_type type)
|
||||
{
|
||||
@ -16,17 +16,17 @@ int signkey_is_ecdsa(enum signkey_type type)
|
||||
}
|
||||
|
||||
enum signkey_type ecdsa_signkey_type(ecc_key * key) {
|
||||
#ifdef DROPBEAR_ECC_256
|
||||
#if DROPBEAR_ECC_256
|
||||
if (key->dp == ecc_curve_nistp256.dp) {
|
||||
return DROPBEAR_SIGNKEY_ECDSA_NISTP256;
|
||||
}
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECC_384
|
||||
#if DROPBEAR_ECC_384
|
||||
if (key->dp == ecc_curve_nistp384.dp) {
|
||||
return DROPBEAR_SIGNKEY_ECDSA_NISTP384;
|
||||
}
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECC_521
|
||||
#if DROPBEAR_ECC_521
|
||||
if (key->dp == ecc_curve_nistp521.dp) {
|
||||
return DROPBEAR_SIGNKEY_ECDSA_NISTP521;
|
||||
}
|
||||
@ -38,17 +38,17 @@ ecc_key *gen_ecdsa_priv_key(unsigned int bit_size) {
|
||||
const ltc_ecc_set_type *dp = NULL; /* curve domain parameters */
|
||||
ecc_key *new_key = NULL;
|
||||
switch (bit_size) {
|
||||
#ifdef DROPBEAR_ECC_256
|
||||
#if DROPBEAR_ECC_256
|
||||
case 256:
|
||||
dp = ecc_curve_nistp256.dp;
|
||||
break;
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECC_384
|
||||
#if DROPBEAR_ECC_384
|
||||
case 384:
|
||||
dp = ecc_curve_nistp384.dp;
|
||||
break;
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECC_521
|
||||
#if DROPBEAR_ECC_521
|
||||
case 521:
|
||||
dp = ecc_curve_nistp521.dp;
|
||||
break;
|
||||
@ -56,13 +56,13 @@ ecc_key *gen_ecdsa_priv_key(unsigned int bit_size) {
|
||||
}
|
||||
if (!dp) {
|
||||
dropbear_exit("Key size %d isn't valid. Try "
|
||||
#ifdef DROPBEAR_ECC_256
|
||||
#if DROPBEAR_ECC_256
|
||||
"256 "
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECC_384
|
||||
#if DROPBEAR_ECC_384
|
||||
"384 "
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECC_521
|
||||
#if DROPBEAR_ECC_521
|
||||
"521 "
|
||||
#endif
|
||||
, bit_size);
|
||||
|
8
ecdsa.h
8
ecdsa.h
@ -5,14 +5,14 @@
|
||||
#include "buffer.h"
|
||||
#include "signkey.h"
|
||||
|
||||
#ifdef DROPBEAR_ECDSA
|
||||
#if DROPBEAR_ECDSA
|
||||
|
||||
/* Prefer the larger size - it's fast anyway */
|
||||
#if defined(DROPBEAR_ECC_521)
|
||||
#if DROPBEAR_ECC_521
|
||||
#define ECDSA_DEFAULT_SIZE 521
|
||||
#elif defined(DROPBEAR_ECC_384)
|
||||
#elif DROPBEAR_ECC_384
|
||||
#define ECDSA_DEFAULT_SIZE 384
|
||||
#elif defined(DROPBEAR_ECC_256)
|
||||
#elif DROPBEAR_ECC_256
|
||||
#define ECDSA_DEFAULT_SIZE 256
|
||||
#else
|
||||
#define ECDSA_DEFAULT_SIZE 0
|
||||
|
2
gendss.c
2
gendss.c
@ -35,7 +35,7 @@
|
||||
|
||||
/* This is just a test */
|
||||
|
||||
#ifdef DROPBEAR_DSS
|
||||
#if DROPBEAR_DSS
|
||||
|
||||
static void getq(dropbear_dss_key *key);
|
||||
static void getp(dropbear_dss_key *key, unsigned int size);
|
||||
|
2
gendss.h
2
gendss.h
@ -27,7 +27,7 @@
|
||||
|
||||
#include "dss.h"
|
||||
|
||||
#ifdef DROPBEAR_DSS
|
||||
#if DROPBEAR_DSS
|
||||
|
||||
dropbear_dss_key * gen_dss_priv_key(unsigned int size);
|
||||
|
||||
|
2
genrsa.c
2
genrsa.c
@ -31,7 +31,7 @@
|
||||
|
||||
#define RSA_E 65537
|
||||
|
||||
#ifdef DROPBEAR_RSA
|
||||
#if DROPBEAR_RSA
|
||||
|
||||
static void getrsaprime(mp_int* prime, mp_int *primeminus,
|
||||
mp_int* rsa_e, unsigned int size_bytes);
|
||||
|
2
genrsa.h
2
genrsa.h
@ -27,7 +27,7 @@
|
||||
|
||||
#include "rsa.h"
|
||||
|
||||
#ifdef DROPBEAR_RSA
|
||||
#if DROPBEAR_RSA
|
||||
|
||||
dropbear_rsa_key * gen_rsa_priv_key(unsigned int size);
|
||||
|
||||
|
12
gensignkey.c
12
gensignkey.c
@ -53,15 +53,15 @@ out:
|
||||
static int get_default_bits(enum signkey_type keytype)
|
||||
{
|
||||
switch (keytype) {
|
||||
#ifdef DROPBEAR_RSA
|
||||
#if DROPBEAR_RSA
|
||||
case DROPBEAR_SIGNKEY_RSA:
|
||||
return RSA_DEFAULT_SIZE;
|
||||
#endif
|
||||
#ifdef DROPBEAR_DSS
|
||||
#if DROPBEAR_DSS
|
||||
case DROPBEAR_SIGNKEY_DSS:
|
||||
return DSS_DEFAULT_SIZE;
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECDSA
|
||||
#if DROPBEAR_ECDSA
|
||||
case DROPBEAR_SIGNKEY_ECDSA_KEYGEN:
|
||||
return ECDSA_DEFAULT_SIZE;
|
||||
case DROPBEAR_SIGNKEY_ECDSA_NISTP521:
|
||||
@ -94,17 +94,17 @@ int signkey_generate(enum signkey_type keytype, int bits, const char* filename,
|
||||
seedrandom();
|
||||
|
||||
switch(keytype) {
|
||||
#ifdef DROPBEAR_RSA
|
||||
#if DROPBEAR_RSA
|
||||
case DROPBEAR_SIGNKEY_RSA:
|
||||
key->rsakey = gen_rsa_priv_key(bits);
|
||||
break;
|
||||
#endif
|
||||
#ifdef DROPBEAR_DSS
|
||||
#if DROPBEAR_DSS
|
||||
case DROPBEAR_SIGNKEY_DSS:
|
||||
key->dsskey = gen_dss_priv_key(bits);
|
||||
break;
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECDSA
|
||||
#if DROPBEAR_ECDSA
|
||||
case DROPBEAR_SIGNKEY_ECDSA_KEYGEN:
|
||||
case DROPBEAR_SIGNKEY_ECDSA_NISTP521:
|
||||
case DROPBEAR_SIGNKEY_ECDSA_NISTP384:
|
||||
|
7
ifndef_wrapper.sh
Executable file
7
ifndef_wrapper.sh
Executable file
@ -0,0 +1,7 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Wrap all "#define X Y" with a #ifndef X...#endif"
|
||||
|
||||
sed -E 's/^(#define ([^ ]+) .*)/#ifndef \2\
|
||||
\1\
|
||||
#endif/'
|
8
kex.h
8
kex.h
@ -40,14 +40,14 @@ void free_kexdh_param(struct kex_dh_param *param);
|
||||
void kexdh_comb_key(struct kex_dh_param *param, mp_int *dh_pub_them,
|
||||
sign_key *hostkey);
|
||||
|
||||
#ifdef DROPBEAR_ECDH
|
||||
#if DROPBEAR_ECDH
|
||||
struct kex_ecdh_param *gen_kexecdh_param(void);
|
||||
void free_kexecdh_param(struct kex_ecdh_param *param);
|
||||
void kexecdh_comb_key(struct kex_ecdh_param *param, buffer *pub_them,
|
||||
sign_key *hostkey);
|
||||
#endif
|
||||
|
||||
#ifdef DROPBEAR_CURVE25519
|
||||
#if DROPBEAR_CURVE25519
|
||||
struct kex_curve25519_param *gen_kexcurve25519_param(void);
|
||||
void free_kexcurve25519_param(struct kex_curve25519_param *param);
|
||||
void kexcurve25519_comb_key(struct kex_curve25519_param *param, buffer *pub_them,
|
||||
@ -88,13 +88,13 @@ struct kex_dh_param {
|
||||
mp_int priv; /* x */
|
||||
};
|
||||
|
||||
#ifdef DROPBEAR_ECDH
|
||||
#if DROPBEAR_ECDH
|
||||
struct kex_ecdh_param {
|
||||
ecc_key key;
|
||||
};
|
||||
#endif
|
||||
|
||||
#ifdef DROPBEAR_CURVE25519
|
||||
#if DROPBEAR_CURVE25519
|
||||
#define CURVE25519_LEN 32
|
||||
struct kex_curve25519_param {
|
||||
unsigned char priv[CURVE25519_LEN];
|
||||
|
1226
keyimport.c
1226
keyimport.c
File diff suppressed because it is too large
Load Diff
@ -706,7 +706,7 @@ utmp_write_direct(struct logininfo *li, struct utmp *ut)
|
||||
}
|
||||
|
||||
(void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET);
|
||||
if (atomicio(write, fd, ut, sizeof(*ut)) != sizeof(*ut))
|
||||
if (atomicio(vwrite, fd, ut, sizeof(*ut)) != sizeof(*ut))
|
||||
dropbear_log(LOG_WARNING, "utmp_write_direct: error writing %s: %s",
|
||||
UTMP_FILE, strerror(errno));
|
||||
|
||||
@ -895,7 +895,7 @@ wtmp_write(struct logininfo *li, struct utmp *ut)
|
||||
return 0;
|
||||
}
|
||||
if (fstat(fd, &buf) == 0)
|
||||
if (atomicio(write, fd, ut, sizeof(*ut)) != sizeof(*ut)) {
|
||||
if (atomicio(vwrite, fd, ut, sizeof(*ut)) != sizeof(*ut)) {
|
||||
ftruncate(fd, buf.st_size);
|
||||
dropbear_log(LOG_WARNING, "wtmp_write: problem writing %s: %s",
|
||||
WTMP_FILE, strerror(errno));
|
||||
@ -1062,7 +1062,7 @@ wtmpx_write(struct logininfo *li, struct utmpx *utx)
|
||||
}
|
||||
|
||||
if (fstat(fd, &buf) == 0)
|
||||
if (atomicio(write, fd, utx, sizeof(*utx)) != sizeof(*utx)) {
|
||||
if (atomicio(vwrite, fd, utx, sizeof(*utx)) != sizeof(*utx)) {
|
||||
ftruncate(fd, buf.st_size);
|
||||
dropbear_log(LOG_WARNING, "wtmpx_write: problem writing %s: %s",
|
||||
WTMPX_FILE, strerror(errno));
|
||||
@ -1351,7 +1351,7 @@ lastlog_perform_login(struct logininfo *li)
|
||||
return(0);
|
||||
|
||||
/* write the entry */
|
||||
if (atomicio(write, fd, &last, sizeof(last)) != sizeof(last)) {
|
||||
if (atomicio(vwrite, fd, &last, sizeof(last)) != sizeof(last)) {
|
||||
close(fd);
|
||||
dropbear_log(LOG_WARNING, "lastlog_write_filemode: Error writing to %s: %s",
|
||||
LASTLOG_FILE, strerror(errno));
|
||||
|
@ -26,7 +26,7 @@
|
||||
* in the various other functions.
|
||||
*/
|
||||
|
||||
#ifdef DROPBEAR_LTC_PRNG
|
||||
#if DROPBEAR_LTC_PRNG
|
||||
|
||||
/**
|
||||
Start the PRNG
|
||||
|
@ -4,7 +4,7 @@
|
||||
#include "options.h"
|
||||
#include "includes.h"
|
||||
|
||||
#ifdef DROPBEAR_LTC_PRNG
|
||||
#if DROPBEAR_LTC_PRNG
|
||||
|
||||
extern const struct ltc_prng_descriptor dropbear_prng_desc;
|
||||
|
||||
|
6
netio.c
6
netio.c
@ -53,7 +53,7 @@ static void connect_try_next(struct dropbear_progress_connection *c) {
|
||||
struct addrinfo *r;
|
||||
int res = 0;
|
||||
int fastopen = 0;
|
||||
#ifdef DROPBEAR_CLIENT_TCP_FAST_OPEN
|
||||
#if DROPBEAR_CLIENT_TCP_FAST_OPEN
|
||||
struct msghdr message;
|
||||
#endif
|
||||
|
||||
@ -70,7 +70,7 @@ static void connect_try_next(struct dropbear_progress_connection *c) {
|
||||
set_sock_nodelay(c->sock);
|
||||
setnonblocking(c->sock);
|
||||
|
||||
#ifdef DROPBEAR_CLIENT_TCP_FAST_OPEN
|
||||
#if DROPBEAR_CLIENT_TCP_FAST_OPEN
|
||||
fastopen = (c->writequeue != NULL);
|
||||
|
||||
if (fastopen) {
|
||||
@ -290,7 +290,7 @@ void set_sock_nodelay(int sock) {
|
||||
setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void*)&val, sizeof(val));
|
||||
}
|
||||
|
||||
#ifdef DROPBEAR_SERVER_TCP_FAST_OPEN
|
||||
#if DROPBEAR_SERVER_TCP_FAST_OPEN
|
||||
void set_listen_fast_open(int sock) {
|
||||
int qlen = MAX(MAX_UNAUTH_PER_IP, 5);
|
||||
if (setsockopt(sock, SOL_TCP, TCP_FASTOPEN, &qlen, sizeof(qlen)) != 0) {
|
||||
|
2
netio.h
2
netio.h
@ -48,7 +48,7 @@ void connect_set_writequeue(struct dropbear_progress_connection *c, struct Queue
|
||||
void packet_queue_to_iovec(struct Queue *queue, struct iovec *iov, unsigned int *iov_count);
|
||||
void packet_queue_consume(struct Queue *queue, ssize_t written);
|
||||
|
||||
#ifdef DROPBEAR_SERVER_TCP_FAST_OPEN
|
||||
#if DROPBEAR_SERVER_TCP_FAST_OPEN
|
||||
/* Try for any Linux builds, will fall back if the kernel doesn't support it */
|
||||
void set_listen_fast_open(int sock);
|
||||
/* Define values which may be supported by the kernel even if the libc is too old */
|
||||
|
359
options.h
359
options.h
@ -1,356 +1,19 @@
|
||||
/* Dropbear SSH
|
||||
* Copyright (c) 2002,2003 Matt Johnston
|
||||
* All rights reserved. See LICENSE for the license. */
|
||||
#ifndef DROPBEAR_OPTIONS_H
|
||||
#define DROPBEAR_OPTIONS_H
|
||||
|
||||
#ifndef DROPBEAR_OPTIONS_H_
|
||||
#define DROPBEAR_OPTIONS_H_
|
||||
/*
|
||||
Local compile-time configuration should be defined in localoptions.h
|
||||
See default_options.h.in for a description of the available options.
|
||||
*/
|
||||
|
||||
/* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif"
|
||||
* parts are to allow for commandline -DDROPBEAR_XXX options etc. */
|
||||
|
||||
/* IMPORTANT: Many options will require "make clean" after changes */
|
||||
|
||||
#ifndef DROPBEAR_DEFPORT
|
||||
#define DROPBEAR_DEFPORT "22"
|
||||
#ifdef LOCALOPTIONS_H_EXISTS
|
||||
#include "localoptions.h"
|
||||
#endif
|
||||
|
||||
#ifndef DROPBEAR_DEFADDRESS
|
||||
/* Listen on all interfaces */
|
||||
#define DROPBEAR_DEFADDRESS ""
|
||||
#endif
|
||||
#include "default_options.h"
|
||||
|
||||
/* Default hostkey paths - these can be specified on the command line */
|
||||
#ifndef DSS_PRIV_FILENAME
|
||||
#define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key"
|
||||
#endif
|
||||
#ifndef RSA_PRIV_FILENAME
|
||||
#define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
|
||||
#endif
|
||||
#ifndef ECDSA_PRIV_FILENAME
|
||||
#define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key"
|
||||
#endif
|
||||
|
||||
/* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens
|
||||
* on chosen ports and keeps accepting connections. This is the default.
|
||||
*
|
||||
* Set INETD_MODE if you want to be able to run Dropbear with inetd (or
|
||||
* similar), where it will use stdin/stdout for connections, and each process
|
||||
* lasts for a single connection. Dropbear should be invoked with the -i flag
|
||||
* for inetd, and can only accept IPv4 connections.
|
||||
*
|
||||
* Both of these flags can be defined at once, don't compile without at least
|
||||
* one of them. */
|
||||
#define NON_INETD_MODE
|
||||
#define INETD_MODE
|
||||
|
||||
/* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
|
||||
* perhaps 20% slower for pubkey operations (it is probably worth experimenting
|
||||
* if you want to use this) */
|
||||
/*#define NO_FAST_EXPTMOD*/
|
||||
|
||||
/* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save
|
||||
several kB in binary size however will make the symmetrical ciphers and hashes
|
||||
slower, perhaps by 50%. Recommended for small systems that aren't doing
|
||||
much traffic. */
|
||||
#define DROPBEAR_SMALL_CODE
|
||||
|
||||
/* Enable X11 Forwarding - server only */
|
||||
#define ENABLE_X11FWD
|
||||
|
||||
/* Enable TCP Fowarding */
|
||||
/* 'Local' is "-L" style (client listening port forwarded via server)
|
||||
* 'Remote' is "-R" style (server listening port forwarded via client) */
|
||||
|
||||
#define ENABLE_CLI_LOCALTCPFWD
|
||||
#define ENABLE_CLI_REMOTETCPFWD
|
||||
|
||||
#define ENABLE_SVR_LOCALTCPFWD
|
||||
#define ENABLE_SVR_REMOTETCPFWD
|
||||
|
||||
/* Enable Authentication Agent Forwarding */
|
||||
#define ENABLE_SVR_AGENTFWD
|
||||
#define ENABLE_CLI_AGENTFWD
|
||||
|
||||
|
||||
/* Note: Both ENABLE_CLI_PROXYCMD and ENABLE_CLI_NETCAT must be set to
|
||||
* allow multihop dbclient connections */
|
||||
|
||||
/* Allow using -J <proxycommand> to run the connection through a
|
||||
pipe to a program, rather the normal TCP connection */
|
||||
#define ENABLE_CLI_PROXYCMD
|
||||
|
||||
/* Enable "Netcat mode" option. This will forward standard input/output
|
||||
* to a remote TCP-forwarded connection */
|
||||
#define ENABLE_CLI_NETCAT
|
||||
|
||||
/* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
|
||||
#define ENABLE_USER_ALGO_LIST
|
||||
|
||||
/* Encryption - at least one required.
|
||||
* Protocol RFC requires 3DES and recommends AES128 for interoperability.
|
||||
* Including multiple keysize variants the same cipher
|
||||
* (eg AES256 as well as AES128) will result in a minimal size increase.*/
|
||||
#define DROPBEAR_AES128
|
||||
#define DROPBEAR_3DES
|
||||
#define DROPBEAR_AES256
|
||||
/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
|
||||
/*#define DROPBEAR_BLOWFISH*/
|
||||
#define DROPBEAR_TWOFISH256
|
||||
#define DROPBEAR_TWOFISH128
|
||||
|
||||
/* Enable CBC mode for ciphers. This has security issues though
|
||||
* is the most compatible with older SSH implementations */
|
||||
#define DROPBEAR_ENABLE_CBC_MODE
|
||||
|
||||
/* Enable "Counter Mode" for ciphers. This is more secure than normal
|
||||
* CBC mode against certain attacks. It is recommended for security
|
||||
* and forwards compatibility */
|
||||
#define DROPBEAR_ENABLE_CTR_MODE
|
||||
|
||||
/* Twofish counter mode is disabled by default because it
|
||||
has not been tested for interoperability with other SSH implementations.
|
||||
If you test it please contact the Dropbear author */
|
||||
/* #define DROPBEAR_TWOFISH_CTR */
|
||||
|
||||
/* You can compile with no encryption if you want. In some circumstances
|
||||
* this could be safe security-wise, though make sure you know what
|
||||
* you're doing. Anyone can see everything that goes over the wire, so
|
||||
* the only safe auth method is public key. */
|
||||
/* #define DROPBEAR_NONE_CIPHER */
|
||||
|
||||
/* Message Integrity - at least one required.
|
||||
* Protocol RFC requires sha1 and recommends sha1-96.
|
||||
* sha1-96 is of use for slow links as it has a smaller overhead.
|
||||
*
|
||||
* There's no reason to disable sha1 or sha1-96 to save space since it's
|
||||
* used for the random number generator and public-key cryptography anyway.
|
||||
* Disabling it here will just stop it from being used as the integrity portion
|
||||
* of the ssh protocol.
|
||||
*
|
||||
* These hashes are also used for public key fingerprints in logs.
|
||||
* If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
|
||||
* which are not the standard form. */
|
||||
#define DROPBEAR_SHA1_HMAC
|
||||
#define DROPBEAR_SHA1_96_HMAC
|
||||
#define DROPBEAR_SHA2_256_HMAC
|
||||
#define DROPBEAR_SHA2_512_HMAC
|
||||
#define DROPBEAR_MD5_HMAC
|
||||
|
||||
/* You can also disable integrity. Don't bother disabling this if you're
|
||||
* still using a cipher, it's relatively cheap. If you disable this it's dead
|
||||
* simple for an attacker to run arbitrary commands on the remote host. Beware. */
|
||||
/* #define DROPBEAR_NONE_INTEGRITY */
|
||||
|
||||
/* Hostkey/public key algorithms - at least one required, these are used
|
||||
* for hostkey as well as for verifying signatures with pubkey auth.
|
||||
* Removing either of these won't save very much space.
|
||||
* SSH2 RFC Draft requires dss, recommends rsa */
|
||||
#define DROPBEAR_RSA
|
||||
#define DROPBEAR_DSS
|
||||
/* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
|
||||
* code (either ECDSA or ECDH) increases binary size - around 30kB
|
||||
* on x86-64 */
|
||||
#define DROPBEAR_ECDSA
|
||||
|
||||
/* Generate hostkeys as-needed when the first connection using that key type occurs.
|
||||
This avoids the need to otherwise run "dropbearkey" and avoids some problems
|
||||
with badly seeded /dev/urandom when systems first boot.
|
||||
This also requires a runtime flag "-R". This adds ~4kB to binary size (or hardly
|
||||
anything if dropbearkey is linked in a "dropbearmulti" binary) */
|
||||
#define DROPBEAR_DELAY_HOSTKEY
|
||||
|
||||
/* Enable Curve25519 for key exchange. This is another elliptic
|
||||
* curve method with good security properties. Increases binary size
|
||||
* by ~8kB on x86-64 */
|
||||
#define DROPBEAR_CURVE25519
|
||||
|
||||
/* Enable elliptic curve Diffie Hellman key exchange, see note about
|
||||
* ECDSA above */
|
||||
#define DROPBEAR_ECDH
|
||||
|
||||
/* Group14 (2048 bit) is recommended. Group1 is less secure (1024 bit) though
|
||||
is the only option for interoperability with some older SSH programs */
|
||||
#define DROPBEAR_DH_GROUP1 1
|
||||
#define DROPBEAR_DH_GROUP14 1
|
||||
|
||||
/* Control the memory/performance/compression tradeoff for zlib.
|
||||
* Set windowBits=8 for least memory usage, see your system's
|
||||
* zlib.h for full details.
|
||||
* Default settings (windowBits=15) will use 256kB for compression
|
||||
* windowBits=8 will use 129kB for compression.
|
||||
* Both modes will use ~35kB for decompression (using windowBits=15 for
|
||||
* interoperability) */
|
||||
#ifndef DROPBEAR_ZLIB_WINDOW_BITS
|
||||
#define DROPBEAR_ZLIB_WINDOW_BITS 15
|
||||
#endif
|
||||
|
||||
/* Server won't allow zlib compression until after authentication. Prevents
|
||||
flaws in the zlib library being unauthenticated exploitable flaws.
|
||||
Some old ssh clients may not support the alternative zlib@openssh.com method */
|
||||
#define DROPBEAR_SERVER_DELAY_ZLIB 1
|
||||
|
||||
/* Whether to do reverse DNS lookups. */
|
||||
/*#define DO_HOST_LOOKUP */
|
||||
|
||||
/* Whether to print the message of the day (MOTD). This doesn't add much code
|
||||
* size */
|
||||
#define DO_MOTD
|
||||
|
||||
/* The MOTD file path */
|
||||
#ifndef MOTD_FILENAME
|
||||
#define MOTD_FILENAME "/etc/motd"
|
||||
#endif
|
||||
|
||||
/* Authentication Types - at least one required.
|
||||
RFC Draft requires pubkey auth, and recommends password */
|
||||
|
||||
/* Note: PAM auth is quite simple and only works for PAM modules which just do
|
||||
* a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
|
||||
* It's useful for systems like OS X where standard password crypts don't work
|
||||
* but there's an interface via a PAM module. It won't work for more complex
|
||||
* PAM challenge/response.
|
||||
* You can't enable both PASSWORD and PAM. */
|
||||
|
||||
/* This requires crypt() */
|
||||
#ifdef HAVE_CRYPT
|
||||
#define ENABLE_SVR_PASSWORD_AUTH
|
||||
#endif
|
||||
/* PAM requires ./configure --enable-pam */
|
||||
/*#define ENABLE_SVR_PAM_AUTH */
|
||||
#define ENABLE_SVR_PUBKEY_AUTH
|
||||
|
||||
/* Whether to take public key options in
|
||||
* authorized_keys file into account */
|
||||
#ifdef ENABLE_SVR_PUBKEY_AUTH
|
||||
#define ENABLE_SVR_PUBKEY_OPTIONS
|
||||
#endif
|
||||
|
||||
/* This requires getpass. */
|
||||
#ifdef HAVE_GETPASS
|
||||
#define ENABLE_CLI_PASSWORD_AUTH
|
||||
#define ENABLE_CLI_INTERACT_AUTH
|
||||
#endif
|
||||
#define ENABLE_CLI_PUBKEY_AUTH
|
||||
|
||||
/* A default argument for dbclient -i <privatekey>.
|
||||
Homedir is prepended unless path begins with / */
|
||||
#define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear"
|
||||
|
||||
/* This variable can be used to set a password for client
|
||||
* authentication on the commandline. Beware of platforms
|
||||
* that don't protect environment variables of processes etc. Also
|
||||
* note that it will be provided for all "hidden" client-interactive
|
||||
* style prompts - if you want something more sophisticated, use
|
||||
* SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
|
||||
#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"
|
||||
|
||||
/* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of
|
||||
* a helper program for the ssh client. The helper program should be
|
||||
* specified in the SSH_ASKPASS environment variable, and dbclient
|
||||
* should be run with DISPLAY set and no tty. The program should
|
||||
* return the password on standard output */
|
||||
/*#define ENABLE_CLI_ASKPASS_HELPER*/
|
||||
|
||||
/* Save a network roundtrip by sendng a real auth request immediately after
|
||||
* sending a query for the available methods. It is at the expense of < 100
|
||||
* bytes of extra network traffic. This is not yet enabled by default since it
|
||||
* could cause problems with non-compliant servers */
|
||||
/* #define DROPBEAR_CLI_IMMEDIATE_AUTH */
|
||||
|
||||
/* Source for randomness. This must be able to provide hundreds of bytes per SSH
|
||||
* connection without blocking. In addition /dev/random is used for seeding
|
||||
* rsa/dss key generation */
|
||||
#define DROPBEAR_URANDOM_DEV "/dev/urandom"
|
||||
|
||||
/* Set this to use PRNGD or EGD instead of /dev/urandom or /dev/random */
|
||||
/*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/
|
||||
|
||||
|
||||
/* Specify the number of clients we will allow to be connected but
|
||||
* not yet authenticated. After this limit, connections are rejected */
|
||||
/* The first setting is per-IP, to avoid denial of service */
|
||||
#ifndef MAX_UNAUTH_PER_IP
|
||||
#define MAX_UNAUTH_PER_IP 5
|
||||
#endif
|
||||
|
||||
/* And then a global limit to avoid chewing memory if connections
|
||||
* come from many IPs */
|
||||
#ifndef MAX_UNAUTH_CLIENTS
|
||||
#define MAX_UNAUTH_CLIENTS 30
|
||||
#endif
|
||||
|
||||
/* Maximum number of failed authentication tries (server option) */
|
||||
#ifndef MAX_AUTH_TRIES
|
||||
#define MAX_AUTH_TRIES 10
|
||||
#endif
|
||||
|
||||
/* The default file to store the daemon's process ID, for shutdown
|
||||
scripts etc. This can be overridden with the -P flag */
|
||||
#ifndef DROPBEAR_PIDFILE
|
||||
#define DROPBEAR_PIDFILE "/var/run/dropbear.pid"
|
||||
#endif
|
||||
|
||||
/* The command to invoke for xauth when using X11 forwarding.
|
||||
* "-q" for quiet */
|
||||
#ifndef XAUTH_COMMAND
|
||||
#define XAUTH_COMMAND "/usr/bin/xauth -q"
|
||||
#endif
|
||||
|
||||
/* if you want to enable running an sftp server (such as the one included with
|
||||
* OpenSSH), set the path below. If the path isn't defined, sftp will not
|
||||
* be enabled */
|
||||
#ifndef SFTPSERVER_PATH
|
||||
#define SFTPSERVER_PATH "/usr/libexec/sftp-server"
|
||||
#endif
|
||||
|
||||
/* This is used by the scp binary when used as a client binary. If you're
|
||||
* not using the Dropbear client, you'll need to change it */
|
||||
#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"
|
||||
|
||||
/* Whether to log commands executed by a client. This only logs the
|
||||
* (single) command sent to the server, not what a user did in a
|
||||
* shell/sftp session etc. */
|
||||
/* #define LOG_COMMANDS */
|
||||
|
||||
/* Window size limits. These tend to be a trade-off between memory
|
||||
usage and network performance: */
|
||||
/* Size of the network receive window. This amount of memory is allocated
|
||||
as a per-channel receive buffer. Increasing this value can make a
|
||||
significant difference to network performance. 24kB was empirically
|
||||
chosen for a 100mbit ethernet network. The value can be altered at
|
||||
runtime with the -W argument. */
|
||||
#ifndef DEFAULT_RECV_WINDOW
|
||||
#define DEFAULT_RECV_WINDOW 24576
|
||||
#endif
|
||||
/* Maximum size of a received SSH data packet - this _MUST_ be >= 32768
|
||||
in order to interoperate with other implementations */
|
||||
#ifndef RECV_MAX_PAYLOAD_LEN
|
||||
#define RECV_MAX_PAYLOAD_LEN 32768
|
||||
#endif
|
||||
/* Maximum size of a transmitted data packet - this can be any value,
|
||||
though increasing it may not make a significant difference. */
|
||||
#ifndef TRANS_MAX_PAYLOAD_LEN
|
||||
#define TRANS_MAX_PAYLOAD_LEN 16384
|
||||
#endif
|
||||
|
||||
/* Ensure that data is transmitted every KEEPALIVE seconds. This can
|
||||
be overridden at runtime with -K. 0 disables keepalives */
|
||||
#define DEFAULT_KEEPALIVE 0
|
||||
|
||||
/* If this many KEEPALIVES are sent with no packets received from the
|
||||
other side, exit. Not run-time configurable - if you have a need
|
||||
for runtime configuration please mail the Dropbear list */
|
||||
#define DEFAULT_KEEPALIVE_LIMIT 3
|
||||
|
||||
/* Ensure that data is received within IDLE_TIMEOUT seconds. This can
|
||||
be overridden at runtime with -I. 0 disables idle timeouts */
|
||||
#define DEFAULT_IDLE_TIMEOUT 0
|
||||
|
||||
/* The default path. This will often get replaced by the shell */
|
||||
#define DEFAULT_PATH "/usr/bin:/bin"
|
||||
|
||||
/* Some other defines (that mostly should be left alone) are defined
|
||||
/* Some other defines that mostly should be left alone are defined
|
||||
* in sysoptions.h */
|
||||
#include "sysoptions.h"
|
||||
|
||||
#endif /* DROPBEAR_OPTIONS_H_ */
|
||||
#endif /* DROPBEAR_OPTIONS_H */
|
||||
|
8
rsa.c
8
rsa.c
@ -36,7 +36,7 @@
|
||||
#include "ssh.h"
|
||||
#include "dbrandom.h"
|
||||
|
||||
#ifdef DROPBEAR_RSA
|
||||
#if DROPBEAR_RSA
|
||||
|
||||
static void rsa_pad_em(dropbear_rsa_key * key,
|
||||
buffer *data_buf, mp_int * rsa_em);
|
||||
@ -204,7 +204,7 @@ void buf_put_rsa_priv_key(buffer* buf, dropbear_rsa_key *key) {
|
||||
|
||||
}
|
||||
|
||||
#ifdef DROPBEAR_SIGNKEY_VERIFY
|
||||
#if DROPBEAR_SIGNKEY_VERIFY
|
||||
/* Verify a signature in buf, made on data by the key given.
|
||||
* Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
|
||||
int buf_rsa_verify(buffer * buf, dropbear_rsa_key *key, buffer *data_buf) {
|
||||
@ -279,7 +279,7 @@ void buf_put_rsa_sign(buffer* buf, dropbear_rsa_key *key, buffer *data_buf) {
|
||||
|
||||
/* the actual signing of the padded data */
|
||||
|
||||
#ifdef RSA_BLINDING
|
||||
#if DROPBEAR_RSA_BLINDING
|
||||
|
||||
/* With blinding, s = (r^(-1))((em)*r^e)^d mod n */
|
||||
|
||||
@ -322,7 +322,7 @@ void buf_put_rsa_sign(buffer* buf, dropbear_rsa_key *key, buffer *data_buf) {
|
||||
dropbear_exit("RSA error");
|
||||
}
|
||||
|
||||
#endif /* RSA_BLINDING */
|
||||
#endif /* DROPBEAR_RSA_BLINDING */
|
||||
|
||||
mp_clear_multi(&rsa_tmp1, &rsa_tmp2, &rsa_tmp3, NULL);
|
||||
|
||||
|
4
rsa.h
4
rsa.h
@ -28,7 +28,7 @@
|
||||
#include "includes.h"
|
||||
#include "buffer.h"
|
||||
|
||||
#ifdef DROPBEAR_RSA
|
||||
#if DROPBEAR_RSA
|
||||
|
||||
#define RSA_SIGNATURE_SIZE (4+7+4+40)
|
||||
|
||||
@ -44,7 +44,7 @@ typedef struct {
|
||||
} dropbear_rsa_key;
|
||||
|
||||
void buf_put_rsa_sign(buffer* buf, dropbear_rsa_key *key, buffer *data_buf);
|
||||
#ifdef DROPBEAR_SIGNKEY_VERIFY
|
||||
#if DROPBEAR_SIGNKEY_VERIFY
|
||||
int buf_rsa_verify(buffer * buf, dropbear_rsa_key *key, buffer *data_buf);
|
||||
#endif
|
||||
int buf_get_rsa_pub_key(buffer* buf, dropbear_rsa_key *key);
|
||||
|
28
runopts.h
28
runopts.h
@ -33,8 +33,8 @@
|
||||
|
||||
typedef struct runopts {
|
||||
|
||||
#if defined(ENABLE_SVR_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD) \
|
||||
|| defined(ENABLE_CLI_REMOTETCPFWD)
|
||||
#if DROPBEAR_SVR_REMOTETCPFWD || DROPBEAR_CLI_LOCALTCPFWD \
|
||||
|| DROPBEAR_CLI_REMOTETCPFWD
|
||||
int listen_fwd_all;
|
||||
#endif
|
||||
unsigned int recv_window;
|
||||
@ -53,7 +53,7 @@ typedef struct runopts {
|
||||
} compress_mode;
|
||||
#endif
|
||||
|
||||
#ifdef ENABLE_USER_ALGO_LIST
|
||||
#if DROPBEAR_USER_ALGO_LIST
|
||||
char *cipher_list;
|
||||
char *mac_list;
|
||||
#endif
|
||||
@ -97,10 +97,10 @@ typedef struct svr_runopts {
|
||||
int norootpass;
|
||||
int allowblankpass;
|
||||
|
||||
#ifdef ENABLE_SVR_REMOTETCPFWD
|
||||
#if DROPBEAR_SVR_REMOTETCPFWD
|
||||
int noremotetcp;
|
||||
#endif
|
||||
#ifdef ENABLE_SVR_LOCALTCPFWD
|
||||
#if DROPBEAR_SVR_LOCALTCPFWD
|
||||
int nolocaltcp;
|
||||
#endif
|
||||
|
||||
@ -114,6 +114,8 @@ typedef struct svr_runopts {
|
||||
buffer * banner;
|
||||
char * pidfile;
|
||||
|
||||
char * forced_command;
|
||||
|
||||
} svr_runopts;
|
||||
|
||||
extern svr_runopts svr_opts;
|
||||
@ -137,19 +139,19 @@ typedef struct cli_runopts {
|
||||
int no_cmd;
|
||||
int backgrounded;
|
||||
int is_subsystem;
|
||||
#ifdef ENABLE_CLI_PUBKEY_AUTH
|
||||
#if DROPBEAR_CLI_PUBKEY_AUTH
|
||||
m_list *privkeys; /* Keys to use for public-key auth */
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_ANYTCPFWD
|
||||
#if DROPBEAR_CLI_ANYTCPFWD
|
||||
int exit_on_fwd_failure;
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_REMOTETCPFWD
|
||||
#if DROPBEAR_CLI_REMOTETCPFWD
|
||||
m_list * remotefwds;
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_LOCALTCPFWD
|
||||
#if DROPBEAR_CLI_LOCALTCPFWD
|
||||
m_list * localfwds;
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_AGENTFWD
|
||||
#if DROPBEAR_CLI_AGENTFWD
|
||||
int agent_fwd;
|
||||
int agent_keys_loaded; /* whether pubkeys has been populated with a
|
||||
list of keys held by the agent */
|
||||
@ -157,11 +159,11 @@ typedef struct cli_runopts {
|
||||
agent sessions have their own file descriptors */
|
||||
#endif
|
||||
|
||||
#ifdef ENABLE_CLI_NETCAT
|
||||
#if DROPBEAR_CLI_NETCAT
|
||||
char *netcat_host;
|
||||
unsigned int netcat_port;
|
||||
#endif
|
||||
#ifdef ENABLE_CLI_PROXYCMD
|
||||
#if DROPBEAR_CLI_PROXYCMD
|
||||
char *proxycmd;
|
||||
#endif
|
||||
} cli_runopts;
|
||||
@ -169,7 +171,7 @@ typedef struct cli_runopts {
|
||||
extern cli_runopts cli_opts;
|
||||
void cli_getopts(int argc, char ** argv);
|
||||
|
||||
#ifdef ENABLE_USER_ALGO_LIST
|
||||
#if DROPBEAR_USER_ALGO_LIST
|
||||
void parse_ciphers_macs(void);
|
||||
#endif
|
||||
|
||||
|
18
scp.c
18
scp.c
@ -133,7 +133,7 @@ do_local_cmd(arglist *a)
|
||||
fprintf(stderr, " %s", a->list[i]);
|
||||
fprintf(stderr, "\n");
|
||||
}
|
||||
#ifdef USE_VFORK
|
||||
#if DROPBEAR_VFORK
|
||||
pid = vfork();
|
||||
#else
|
||||
pid = fork();
|
||||
@ -144,7 +144,7 @@ do_local_cmd(arglist *a)
|
||||
if (pid == 0) {
|
||||
execvp(a->list[0], a->list);
|
||||
perror(a->list[0]);
|
||||
#ifdef USE_VFORK
|
||||
#if DROPBEAR_VFORK
|
||||
_exit(1);
|
||||
#else
|
||||
exit(1);
|
||||
@ -213,12 +213,12 @@ do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc)
|
||||
|
||||
/* uClinux needs to build the args here before vforking,
|
||||
otherwise we do it later on. */
|
||||
#ifdef USE_VFORK
|
||||
#if DROPBEAR_VFORK
|
||||
arg_setup(host, remuser, cmd);
|
||||
#endif
|
||||
|
||||
/* Fork a child to execute the command on the remote host using ssh. */
|
||||
#ifdef USE_VFORK
|
||||
#if DROPBEAR_VFORK
|
||||
do_cmd_pid = vfork();
|
||||
#else
|
||||
do_cmd_pid = fork();
|
||||
@ -233,13 +233,13 @@ do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc)
|
||||
close(pin[0]);
|
||||
close(pout[1]);
|
||||
|
||||
#ifndef USE_VFORK
|
||||
#if !DROPBEAR_VFORK
|
||||
arg_setup(host, remuser, cmd);
|
||||
#endif
|
||||
|
||||
execvp(ssh_program, args.list);
|
||||
perror(ssh_program);
|
||||
#ifdef USE_VFORK
|
||||
#if DROPBEAR_VFORK
|
||||
_exit(1);
|
||||
#else
|
||||
exit(1);
|
||||
@ -248,7 +248,7 @@ do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc)
|
||||
fatal("fork: %s", strerror(errno));
|
||||
}
|
||||
|
||||
#ifdef USE_VFORK
|
||||
#if DROPBEAR_VFORK
|
||||
/* clean up command */
|
||||
/* pop cmd */
|
||||
xfree(args.list[args.num-1]);
|
||||
@ -304,8 +304,8 @@ void tolocal(int, char *[]);
|
||||
void toremote(char *, int, char *[]);
|
||||
void usage(void);
|
||||
|
||||
#if defined(DBMULTI_scp) || !defined(DROPBEAR_MULTI)
|
||||
#if defined(DBMULTI_scp) && defined(DROPBEAR_MULTI)
|
||||
#if defined(DBMULTI_scp) || !DROPBEAR_MULTI
|
||||
#if defined(DBMULTI_scp) && DROPBEAR_MULTI
|
||||
int scp_main(int argc, char **argv)
|
||||
#else
|
||||
int
|
||||
|
@ -12,9 +12,6 @@
|
||||
* called by a name other than "ssh" or "Secure Shell".
|
||||
*/
|
||||
|
||||
/* actually from atomicio, but is only used in scp code */
|
||||
#define vwrite (ssize_t (*)(int, void *, size_t))write
|
||||
|
||||
char *chop(char *);
|
||||
char *strdelim(char **);
|
||||
void set_nonblock(int);
|
||||
|
10
session.h
10
session.h
@ -79,7 +79,7 @@ struct key_context_directional {
|
||||
/* actual keys */
|
||||
union {
|
||||
symmetric_CBC cbc;
|
||||
#ifdef DROPBEAR_ENABLE_CTR_MODE
|
||||
#if DROPBEAR_ENABLE_CTR_MODE
|
||||
symmetric_CTR ctr;
|
||||
#endif
|
||||
} cipher_state;
|
||||
@ -237,7 +237,7 @@ struct serversession {
|
||||
/* The resolved remote address, used for lastlog etc */
|
||||
char *remotehost;
|
||||
|
||||
#ifdef USE_VFORK
|
||||
#if DROPBEAR_VFORK
|
||||
pid_t server_pid;
|
||||
#endif
|
||||
|
||||
@ -288,7 +288,7 @@ struct clientsession {
|
||||
int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD,
|
||||
for the last type of auth we tried */
|
||||
int ignore_next_auth_response;
|
||||
#ifdef ENABLE_CLI_INTERACT_AUTH
|
||||
#if DROPBEAR_CLI_INTERACT_AUTH
|
||||
int auth_interact_failed; /* flag whether interactive auth can still
|
||||
be used */
|
||||
int interact_request_received; /* flag whether we've received an
|
||||
@ -311,11 +311,11 @@ struct clientsession {
|
||||
/* Global structs storing the state */
|
||||
extern struct sshsession ses;
|
||||
|
||||
#ifdef DROPBEAR_SERVER
|
||||
#if DROPBEAR_SERVER
|
||||
extern struct serversession svr_ses;
|
||||
#endif /* DROPBEAR_SERVER */
|
||||
|
||||
#ifdef DROPBEAR_CLIENT
|
||||
#if DROPBEAR_CLIENT
|
||||
extern struct clientsession cli_ses;
|
||||
#endif /* DROPBEAR_CLIENT */
|
||||
|
||||
|
76
signkey.c
76
signkey.c
@ -30,13 +30,13 @@
|
||||
#include "ecdsa.h"
|
||||
|
||||
static const char * const signkey_names[DROPBEAR_SIGNKEY_NUM_NAMED] = {
|
||||
#ifdef DROPBEAR_RSA
|
||||
#if DROPBEAR_RSA
|
||||
"ssh-rsa",
|
||||
#endif
|
||||
#ifdef DROPBEAR_DSS
|
||||
#if DROPBEAR_DSS
|
||||
"ssh-dss",
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECDSA
|
||||
#if DROPBEAR_ECDSA
|
||||
"ecdsa-sha2-nistp256",
|
||||
"ecdsa-sha2-nistp384",
|
||||
"ecdsa-sha2-nistp521"
|
||||
@ -75,7 +75,7 @@ enum signkey_type signkey_type_from_name(const char* name, unsigned int namelen)
|
||||
if (namelen == strlen(fixed_name)
|
||||
&& memcmp(fixed_name, name, namelen) == 0) {
|
||||
|
||||
#ifdef DROPBEAR_ECDSA
|
||||
#if DROPBEAR_ECDSA
|
||||
/* Some of the ECDSA key sizes are defined even if they're not compiled in */
|
||||
if (0
|
||||
#ifndef DROPBEAR_ECC_256
|
||||
@ -106,25 +106,25 @@ enum signkey_type signkey_type_from_name(const char* name, unsigned int namelen)
|
||||
void **
|
||||
signkey_key_ptr(sign_key *key, enum signkey_type type) {
|
||||
switch (type) {
|
||||
#ifdef DROPBEAR_ECDSA
|
||||
#ifdef DROPBEAR_ECC_256
|
||||
#if DROPBEAR_ECDSA
|
||||
#if DROPBEAR_ECC_256
|
||||
case DROPBEAR_SIGNKEY_ECDSA_NISTP256:
|
||||
return (void**)&key->ecckey256;
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECC_384
|
||||
#if DROPBEAR_ECC_384
|
||||
case DROPBEAR_SIGNKEY_ECDSA_NISTP384:
|
||||
return (void**)&key->ecckey384;
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECC_521
|
||||
#if DROPBEAR_ECC_521
|
||||
case DROPBEAR_SIGNKEY_ECDSA_NISTP521:
|
||||
return (void**)&key->ecckey521;
|
||||
#endif
|
||||
#endif /* DROPBEAR_ECDSA */
|
||||
#ifdef DROPBEAR_RSA
|
||||
#if DROPBEAR_RSA
|
||||
case DROPBEAR_SIGNKEY_RSA:
|
||||
return (void**)&key->rsakey;
|
||||
#endif
|
||||
#ifdef DROPBEAR_DSS
|
||||
#if DROPBEAR_DSS
|
||||
case DROPBEAR_SIGNKEY_DSS:
|
||||
return (void**)&key->dsskey;
|
||||
#endif
|
||||
@ -161,7 +161,7 @@ int buf_get_pub_key(buffer *buf, sign_key *key, enum signkey_type *type) {
|
||||
/* Rewind the buffer back before "ssh-rsa" etc */
|
||||
buf_incrpos(buf, -len - 4);
|
||||
|
||||
#ifdef DROPBEAR_DSS
|
||||
#if DROPBEAR_DSS
|
||||
if (keytype == DROPBEAR_SIGNKEY_DSS) {
|
||||
dss_key_free(key->dsskey);
|
||||
key->dsskey = m_malloc(sizeof(*key->dsskey));
|
||||
@ -171,7 +171,7 @@ int buf_get_pub_key(buffer *buf, sign_key *key, enum signkey_type *type) {
|
||||
}
|
||||
}
|
||||
#endif
|
||||
#ifdef DROPBEAR_RSA
|
||||
#if DROPBEAR_RSA
|
||||
if (keytype == DROPBEAR_SIGNKEY_RSA) {
|
||||
rsa_key_free(key->rsakey);
|
||||
key->rsakey = m_malloc(sizeof(*key->rsakey));
|
||||
@ -181,7 +181,7 @@ int buf_get_pub_key(buffer *buf, sign_key *key, enum signkey_type *type) {
|
||||
}
|
||||
}
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECDSA
|
||||
#if DROPBEAR_ECDSA
|
||||
if (signkey_is_ecdsa(keytype)) {
|
||||
ecc_key **eck = (ecc_key**)signkey_key_ptr(key, keytype);
|
||||
if (eck) {
|
||||
@ -230,7 +230,7 @@ int buf_get_priv_key(buffer *buf, sign_key *key, enum signkey_type *type) {
|
||||
/* Rewind the buffer back before "ssh-rsa" etc */
|
||||
buf_incrpos(buf, -len - 4);
|
||||
|
||||
#ifdef DROPBEAR_DSS
|
||||
#if DROPBEAR_DSS
|
||||
if (keytype == DROPBEAR_SIGNKEY_DSS) {
|
||||
dss_key_free(key->dsskey);
|
||||
key->dsskey = m_malloc(sizeof(*key->dsskey));
|
||||
@ -240,7 +240,7 @@ int buf_get_priv_key(buffer *buf, sign_key *key, enum signkey_type *type) {
|
||||
}
|
||||
}
|
||||
#endif
|
||||
#ifdef DROPBEAR_RSA
|
||||
#if DROPBEAR_RSA
|
||||
if (keytype == DROPBEAR_SIGNKEY_RSA) {
|
||||
rsa_key_free(key->rsakey);
|
||||
key->rsakey = m_malloc(sizeof(*key->rsakey));
|
||||
@ -250,7 +250,7 @@ int buf_get_priv_key(buffer *buf, sign_key *key, enum signkey_type *type) {
|
||||
}
|
||||
}
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECDSA
|
||||
#if DROPBEAR_ECDSA
|
||||
if (signkey_is_ecdsa(keytype)) {
|
||||
ecc_key **eck = (ecc_key**)signkey_key_ptr(key, keytype);
|
||||
if (eck) {
|
||||
@ -281,17 +281,17 @@ void buf_put_pub_key(buffer* buf, sign_key *key, enum signkey_type type) {
|
||||
TRACE2(("enter buf_put_pub_key"))
|
||||
pubkeys = buf_new(MAX_PUBKEY_SIZE);
|
||||
|
||||
#ifdef DROPBEAR_DSS
|
||||
#if DROPBEAR_DSS
|
||||
if (type == DROPBEAR_SIGNKEY_DSS) {
|
||||
buf_put_dss_pub_key(pubkeys, key->dsskey);
|
||||
}
|
||||
#endif
|
||||
#ifdef DROPBEAR_RSA
|
||||
#if DROPBEAR_RSA
|
||||
if (type == DROPBEAR_SIGNKEY_RSA) {
|
||||
buf_put_rsa_pub_key(pubkeys, key->rsakey);
|
||||
}
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECDSA
|
||||
#if DROPBEAR_ECDSA
|
||||
if (signkey_is_ecdsa(type)) {
|
||||
ecc_key **eck = (ecc_key**)signkey_key_ptr(key, type);
|
||||
if (eck) {
|
||||
@ -314,21 +314,21 @@ void buf_put_priv_key(buffer* buf, sign_key *key, enum signkey_type type) {
|
||||
TRACE(("enter buf_put_priv_key"))
|
||||
TRACE(("type is %d", type))
|
||||
|
||||
#ifdef DROPBEAR_DSS
|
||||
#if DROPBEAR_DSS
|
||||
if (type == DROPBEAR_SIGNKEY_DSS) {
|
||||
buf_put_dss_priv_key(buf, key->dsskey);
|
||||
TRACE(("leave buf_put_priv_key: dss done"))
|
||||
return;
|
||||
}
|
||||
#endif
|
||||
#ifdef DROPBEAR_RSA
|
||||
#if DROPBEAR_RSA
|
||||
if (type == DROPBEAR_SIGNKEY_RSA) {
|
||||
buf_put_rsa_priv_key(buf, key->rsakey);
|
||||
TRACE(("leave buf_put_priv_key: rsa done"))
|
||||
return;
|
||||
}
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECDSA
|
||||
#if DROPBEAR_ECDSA
|
||||
if (signkey_is_ecdsa(type)) {
|
||||
ecc_key **eck = (ecc_key**)signkey_key_ptr(key, type);
|
||||
if (eck) {
|
||||
@ -345,30 +345,30 @@ void sign_key_free(sign_key *key) {
|
||||
|
||||
TRACE2(("enter sign_key_free"))
|
||||
|
||||
#ifdef DROPBEAR_DSS
|
||||
#if DROPBEAR_DSS
|
||||
dss_key_free(key->dsskey);
|
||||
key->dsskey = NULL;
|
||||
#endif
|
||||
#ifdef DROPBEAR_RSA
|
||||
#if DROPBEAR_RSA
|
||||
rsa_key_free(key->rsakey);
|
||||
key->rsakey = NULL;
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECDSA
|
||||
#ifdef DROPBEAR_ECC_256
|
||||
#if DROPBEAR_ECDSA
|
||||
#if DROPBEAR_ECC_256
|
||||
if (key->ecckey256) {
|
||||
ecc_free(key->ecckey256);
|
||||
m_free(key->ecckey256);
|
||||
key->ecckey256 = NULL;
|
||||
}
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECC_384
|
||||
#if DROPBEAR_ECC_384
|
||||
if (key->ecckey384) {
|
||||
ecc_free(key->ecckey384);
|
||||
m_free(key->ecckey384);
|
||||
key->ecckey384 = NULL;
|
||||
}
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECC_521
|
||||
#if DROPBEAR_ECC_521
|
||||
if (key->ecckey521) {
|
||||
ecc_free(key->ecckey521);
|
||||
m_free(key->ecckey521);
|
||||
@ -395,7 +395,7 @@ static char hexdig(unsigned char x) {
|
||||
|
||||
/* Since we're not sure if we'll have md5 or sha1, we present both.
|
||||
* MD5 is used in preference, but sha1 could still be useful */
|
||||
#ifdef DROPBEAR_MD5_HMAC
|
||||
#if DROPBEAR_MD5_HMAC
|
||||
static char * sign_key_md5_fingerprint(unsigned char* keyblob,
|
||||
unsigned int keybloblen) {
|
||||
|
||||
@ -470,7 +470,7 @@ static char * sign_key_sha1_fingerprint(unsigned char* keyblob,
|
||||
* in either sha1 or md5 */
|
||||
char * sign_key_fingerprint(unsigned char* keyblob, unsigned int keybloblen) {
|
||||
|
||||
#ifdef DROPBEAR_MD5_HMAC
|
||||
#if DROPBEAR_MD5_HMAC
|
||||
return sign_key_md5_fingerprint(keyblob, keybloblen);
|
||||
#else
|
||||
return sign_key_sha1_fingerprint(keyblob, keybloblen);
|
||||
@ -482,17 +482,17 @@ void buf_put_sign(buffer* buf, sign_key *key, enum signkey_type type,
|
||||
buffer *sigblob;
|
||||
sigblob = buf_new(MAX_PUBKEY_SIZE);
|
||||
|
||||
#ifdef DROPBEAR_DSS
|
||||
#if DROPBEAR_DSS
|
||||
if (type == DROPBEAR_SIGNKEY_DSS) {
|
||||
buf_put_dss_sign(sigblob, key->dsskey, data_buf);
|
||||
}
|
||||
#endif
|
||||
#ifdef DROPBEAR_RSA
|
||||
#if DROPBEAR_RSA
|
||||
if (type == DROPBEAR_SIGNKEY_RSA) {
|
||||
buf_put_rsa_sign(sigblob, key->rsakey, data_buf);
|
||||
}
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECDSA
|
||||
#if DROPBEAR_ECDSA
|
||||
if (signkey_is_ecdsa(type)) {
|
||||
ecc_key **eck = (ecc_key**)signkey_key_ptr(key, type);
|
||||
if (eck) {
|
||||
@ -508,7 +508,7 @@ void buf_put_sign(buffer* buf, sign_key *key, enum signkey_type type,
|
||||
|
||||
}
|
||||
|
||||
#ifdef DROPBEAR_SIGNKEY_VERIFY
|
||||
#if DROPBEAR_SIGNKEY_VERIFY
|
||||
/* Return DROPBEAR_SUCCESS or DROPBEAR_FAILURE.
|
||||
* If FAILURE is returned, the position of
|
||||
* buf is undefined. If SUCCESS is returned, buf will be positioned after the
|
||||
@ -526,7 +526,7 @@ int buf_verify(buffer * buf, sign_key *key, buffer *data_buf) {
|
||||
type = signkey_type_from_name(type_name, type_name_len);
|
||||
m_free(type_name);
|
||||
|
||||
#ifdef DROPBEAR_DSS
|
||||
#if DROPBEAR_DSS
|
||||
if (type == DROPBEAR_SIGNKEY_DSS) {
|
||||
if (key->dsskey == NULL) {
|
||||
dropbear_exit("No DSS key to verify signature");
|
||||
@ -535,7 +535,7 @@ int buf_verify(buffer * buf, sign_key *key, buffer *data_buf) {
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef DROPBEAR_RSA
|
||||
#if DROPBEAR_RSA
|
||||
if (type == DROPBEAR_SIGNKEY_RSA) {
|
||||
if (key->rsakey == NULL) {
|
||||
dropbear_exit("No RSA key to verify signature");
|
||||
@ -543,7 +543,7 @@ int buf_verify(buffer * buf, sign_key *key, buffer *data_buf) {
|
||||
return buf_rsa_verify(buf, key->rsakey, data_buf);
|
||||
}
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECDSA
|
||||
#if DROPBEAR_ECDSA
|
||||
if (signkey_is_ecdsa(type)) {
|
||||
ecc_key **eck = (ecc_key**)signkey_key_ptr(key, type);
|
||||
if (eck) {
|
||||
@ -557,7 +557,7 @@ int buf_verify(buffer * buf, sign_key *key, buffer *data_buf) {
|
||||
}
|
||||
#endif /* DROPBEAR_SIGNKEY_VERIFY */
|
||||
|
||||
#ifdef DROPBEAR_KEY_LINES /* ie we're using authorized_keys or known_hosts */
|
||||
#if DROPBEAR_KEY_LINES /* ie we're using authorized_keys or known_hosts */
|
||||
|
||||
/* Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE when given a buffer containing
|
||||
* a key, a key, and a type. The buffer is positioned at the start of the
|
||||
|
20
signkey.h
20
signkey.h
@ -30,13 +30,13 @@
|
||||
#include "rsa.h"
|
||||
|
||||
enum signkey_type {
|
||||
#ifdef DROPBEAR_RSA
|
||||
#if DROPBEAR_RSA
|
||||
DROPBEAR_SIGNKEY_RSA,
|
||||
#endif
|
||||
#ifdef DROPBEAR_DSS
|
||||
#if DROPBEAR_DSS
|
||||
DROPBEAR_SIGNKEY_DSS,
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECDSA
|
||||
#if DROPBEAR_ECDSA
|
||||
DROPBEAR_SIGNKEY_ECDSA_NISTP256,
|
||||
DROPBEAR_SIGNKEY_ECDSA_NISTP384,
|
||||
DROPBEAR_SIGNKEY_ECDSA_NISTP521,
|
||||
@ -61,20 +61,20 @@ struct SIGN_key {
|
||||
signkey_source source;
|
||||
char *filename;
|
||||
|
||||
#ifdef DROPBEAR_DSS
|
||||
#if DROPBEAR_DSS
|
||||
dropbear_dss_key * dsskey;
|
||||
#endif
|
||||
#ifdef DROPBEAR_RSA
|
||||
#if DROPBEAR_RSA
|
||||
dropbear_rsa_key * rsakey;
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECDSA
|
||||
#ifdef DROPBEAR_ECC_256
|
||||
#if DROPBEAR_ECDSA
|
||||
#if DROPBEAR_ECC_256
|
||||
ecc_key * ecckey256;
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECC_384
|
||||
#if DROPBEAR_ECC_384
|
||||
ecc_key * ecckey384;
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECC_521
|
||||
#if DROPBEAR_ECC_521
|
||||
ecc_key * ecckey521;
|
||||
#endif
|
||||
#endif
|
||||
@ -91,7 +91,7 @@ void buf_put_pub_key(buffer* buf, sign_key *key, enum signkey_type type);
|
||||
void buf_put_priv_key(buffer* buf, sign_key *key, enum signkey_type type);
|
||||
void sign_key_free(sign_key *key);
|
||||
void buf_put_sign(buffer* buf, sign_key *key, enum signkey_type type, buffer *data_buf);
|
||||
#ifdef DROPBEAR_SIGNKEY_VERIFY
|
||||
#if DROPBEAR_SIGNKEY_VERIFY
|
||||
int buf_verify(buffer * buf, sign_key *key, buffer *data_buf);
|
||||
char * sign_key_fingerprint(unsigned char* keyblob, unsigned int keybloblen);
|
||||
#endif
|
||||
|
@ -27,7 +27,7 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#ifdef ENABLE_SVR_AGENTFWD
|
||||
#if DROPBEAR_SVR_AGENTFWD
|
||||
|
||||
#include "agentfwd.h"
|
||||
#include "session.h"
|
||||
|
10
svr-auth.c
10
svr-auth.c
@ -56,10 +56,10 @@ void svr_authinitialise() {
|
||||
static void authclear() {
|
||||
|
||||
memset(&ses.authstate, 0, sizeof(ses.authstate));
|
||||
#ifdef ENABLE_SVR_PUBKEY_AUTH
|
||||
#if DROPBEAR_SVR_PUBKEY_AUTH
|
||||
ses.authstate.authtypes |= AUTH_TYPE_PUBKEY;
|
||||
#endif
|
||||
#if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
|
||||
#if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH
|
||||
if (!svr_opts.noauthpass) {
|
||||
ses.authstate.authtypes |= AUTH_TYPE_PASSWORD;
|
||||
}
|
||||
@ -169,7 +169,7 @@ void recv_msg_userauth_request() {
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef ENABLE_SVR_PASSWORD_AUTH
|
||||
#if DROPBEAR_SVR_PASSWORD_AUTH
|
||||
if (!svr_opts.noauthpass &&
|
||||
!(svr_opts.norootpass && ses.authstate.pw_uid == 0) ) {
|
||||
/* user wants to try password auth */
|
||||
@ -184,7 +184,7 @@ void recv_msg_userauth_request() {
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef ENABLE_SVR_PAM_AUTH
|
||||
#if DROPBEAR_SVR_PAM_AUTH
|
||||
if (!svr_opts.noauthpass &&
|
||||
!(svr_opts.norootpass && ses.authstate.pw_uid == 0) ) {
|
||||
/* user wants to try password auth */
|
||||
@ -199,7 +199,7 @@ void recv_msg_userauth_request() {
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef ENABLE_SVR_PUBKEY_AUTH
|
||||
#if DROPBEAR_SVR_PUBKEY_AUTH
|
||||
/* user wants to try pubkey auth */
|
||||
if (methodlen == AUTH_METHOD_PUBKEY_LEN &&
|
||||
strncmp(methodname, AUTH_METHOD_PUBKEY,
|
||||
|
@ -31,7 +31,7 @@
|
||||
#include "dbutil.h"
|
||||
#include "auth.h"
|
||||
|
||||
#ifdef ENABLE_SVR_PAM_AUTH
|
||||
#if DROPBEAR_SVR_PAM_AUTH
|
||||
|
||||
#if defined(HAVE_SECURITY_PAM_APPL_H)
|
||||
#include <security/pam_appl.h>
|
||||
@ -270,4 +270,4 @@ cleanup:
|
||||
}
|
||||
}
|
||||
|
||||
#endif /* ENABLE_SVR_PAM_AUTH */
|
||||
#endif /* DROPBEAR_SVR_PAM_AUTH */
|
||||
|
@ -31,7 +31,7 @@
|
||||
#include "auth.h"
|
||||
#include "runopts.h"
|
||||
|
||||
#ifdef ENABLE_SVR_PASSWORD_AUTH
|
||||
#if DROPBEAR_SVR_PASSWORD_AUTH
|
||||
|
||||
/* not constant time when strings are differing lengths.
|
||||
string content isn't leaked, and crypt hashes are predictable length. */
|
||||
|
@ -65,7 +65,7 @@
|
||||
#include "packet.h"
|
||||
#include "algo.h"
|
||||
|
||||
#ifdef ENABLE_SVR_PUBKEY_AUTH
|
||||
#if DROPBEAR_SVR_PUBKEY_AUTH
|
||||
|
||||
#define MIN_AUTHKEYS_LINE 10 /* "ssh-rsa AB" - short but doesn't matter */
|
||||
#define MAX_AUTHKEYS_LINE 4200 /* max length of a line in authkeys */
|
||||
|
@ -47,7 +47,7 @@
|
||||
#include "signkey.h"
|
||||
#include "auth.h"
|
||||
|
||||
#ifdef ENABLE_SVR_PUBKEY_OPTIONS
|
||||
#if DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT
|
||||
|
||||
/* Returns 1 if pubkey allows agent forwarding,
|
||||
* 0 otherwise */
|
||||
@ -147,14 +147,14 @@ int svr_add_pubkey_options(buffer *options_buf, int line_num, const char* filena
|
||||
ses.authstate.pubkey_options->no_port_forwarding_flag = 1;
|
||||
goto next_option;
|
||||
}
|
||||
#ifdef ENABLE_SVR_AGENTFWD
|
||||
#if DROPBEAR_SVR_AGENTFWD
|
||||
if (match_option(options_buf, "no-agent-forwarding") == DROPBEAR_SUCCESS) {
|
||||
dropbear_log(LOG_WARNING, "Agent forwarding disabled.");
|
||||
ses.authstate.pubkey_options->no_agent_forwarding_flag = 1;
|
||||
goto next_option;
|
||||
}
|
||||
#endif
|
||||
#ifdef ENABLE_X11FWD
|
||||
#if DROPBEAR_X11FWD
|
||||
if (match_option(options_buf, "no-X11-forwarding") == DROPBEAR_SUCCESS) {
|
||||
dropbear_log(LOG_WARNING, "X11 forwarding disabled.");
|
||||
ses.authstate.pubkey_options->no_x11_forwarding_flag = 1;
|
||||
|
@ -254,13 +254,13 @@ static int newchansess(struct Channel *channel) {
|
||||
|
||||
channel->typedata = chansess;
|
||||
|
||||
#ifndef DISABLE_X11FWD
|
||||
#if DROPBEAR_X11FWD
|
||||
chansess->x11listener = NULL;
|
||||
chansess->x11authprot = NULL;
|
||||
chansess->x11authcookie = NULL;
|
||||
#endif
|
||||
|
||||
#ifdef ENABLE_SVR_AGENTFWD
|
||||
#if DROPBEAR_SVR_AGENTFWD
|
||||
chansess->agentlistener = NULL;
|
||||
chansess->agentfile = NULL;
|
||||
chansess->agentdir = NULL;
|
||||
@ -301,7 +301,7 @@ static void closechansess(struct Channel *channel) {
|
||||
m_free(chansess->cmd);
|
||||
m_free(chansess->term);
|
||||
|
||||
#ifdef ENABLE_SVR_PUBKEY_OPTIONS
|
||||
#if DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT
|
||||
m_free(chansess->original_command);
|
||||
#endif
|
||||
|
||||
@ -315,11 +315,11 @@ static void closechansess(struct Channel *channel) {
|
||||
m_free(chansess->tty);
|
||||
}
|
||||
|
||||
#ifndef DISABLE_X11FWD
|
||||
#if DROPBEAR_X11FWD
|
||||
x11cleanup(chansess);
|
||||
#endif
|
||||
|
||||
#ifdef ENABLE_SVR_AGENTFWD
|
||||
#if DROPBEAR_SVR_AGENTFWD
|
||||
svr_agentcleanup(chansess);
|
||||
#endif
|
||||
|
||||
@ -373,11 +373,11 @@ static void chansessionrequest(struct Channel *channel) {
|
||||
ret = sessioncommand(channel, chansess, 1, 0);
|
||||
} else if (strcmp(type, "subsystem") == 0) {
|
||||
ret = sessioncommand(channel, chansess, 1, 1);
|
||||
#ifndef DISABLE_X11FWD
|
||||
#if DROPBEAR_X11FWD
|
||||
} else if (strcmp(type, "x11-req") == 0) {
|
||||
ret = x11req(chansess);
|
||||
#endif
|
||||
#ifdef ENABLE_SVR_AGENTFWD
|
||||
#if DROPBEAR_SVR_AGENTFWD
|
||||
} else if (strcmp(type, "auth-agent-req@openssh.com") == 0) {
|
||||
ret = svr_agentreq(chansess);
|
||||
#endif
|
||||
@ -603,7 +603,7 @@ static int sessionpty(struct ChanSess * chansess) {
|
||||
return DROPBEAR_SUCCESS;
|
||||
}
|
||||
|
||||
#ifndef USE_VFORK
|
||||
#if !DROPBEAR_VFORK
|
||||
static void make_connection_string(struct ChanSess *chansess) {
|
||||
char *local_ip, *local_port, *remote_ip, *remote_port;
|
||||
size_t len;
|
||||
@ -634,7 +634,7 @@ static void make_connection_string(struct ChanSess *chansess) {
|
||||
static int sessioncommand(struct Channel *channel, struct ChanSess *chansess,
|
||||
int iscmd, int issubsys) {
|
||||
|
||||
unsigned int cmdlen;
|
||||
unsigned int cmdlen = 0;
|
||||
int ret;
|
||||
|
||||
TRACE(("enter sessioncommand"))
|
||||
@ -671,8 +671,16 @@ static int sessioncommand(struct Channel *channel, struct ChanSess *chansess,
|
||||
}
|
||||
}
|
||||
|
||||
/* take public key option 'command' into account */
|
||||
svr_pubkey_set_forced_command(chansess);
|
||||
|
||||
/* take global command into account */
|
||||
if (svr_opts.forced_command) {
|
||||
chansess->original_command = chansess->cmd ? : m_strdup("");
|
||||
chansess->cmd = m_strdup(svr_opts.forced_command);
|
||||
} else {
|
||||
/* take public key option 'command' into account */
|
||||
svr_pubkey_set_forced_command(chansess);
|
||||
}
|
||||
|
||||
|
||||
#ifdef LOG_COMMANDS
|
||||
if (chansess->cmd) {
|
||||
@ -686,7 +694,7 @@ static int sessioncommand(struct Channel *channel, struct ChanSess *chansess,
|
||||
|
||||
/* uClinux will vfork(), so there'll be a race as
|
||||
connection_string is freed below. */
|
||||
#ifndef USE_VFORK
|
||||
#if !DROPBEAR_VFORK
|
||||
make_connection_string(chansess);
|
||||
#endif
|
||||
|
||||
@ -702,7 +710,7 @@ static int sessioncommand(struct Channel *channel, struct ChanSess *chansess,
|
||||
ret = ptycommand(channel, chansess);
|
||||
}
|
||||
|
||||
#ifndef USE_VFORK
|
||||
#if !DROPBEAR_VFORK
|
||||
m_free(chansess->connection_string);
|
||||
m_free(chansess->client_string);
|
||||
#endif
|
||||
@ -776,7 +784,7 @@ static int ptycommand(struct Channel *channel, struct ChanSess *chansess) {
|
||||
return DROPBEAR_FAILURE;
|
||||
}
|
||||
|
||||
#ifdef USE_VFORK
|
||||
#if DROPBEAR_VFORK
|
||||
pid = vfork();
|
||||
#else
|
||||
pid = fork();
|
||||
@ -896,7 +904,7 @@ static void execchild(void *user_data) {
|
||||
|
||||
/* with uClinux we'll have vfork()ed, so don't want to overwrite the
|
||||
* hostkey. can't think of a workaround to clear it */
|
||||
#ifndef USE_VFORK
|
||||
#if !DROPBEAR_VFORK
|
||||
/* wipe the hostkey */
|
||||
sign_key_free(svr_opts.hostkey);
|
||||
svr_opts.hostkey = NULL;
|
||||
@ -965,7 +973,7 @@ static void execchild(void *user_data) {
|
||||
addnewvar("SSH_CLIENT", chansess->client_string);
|
||||
}
|
||||
|
||||
#ifdef ENABLE_SVR_PUBKEY_OPTIONS
|
||||
#if DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT
|
||||
if (chansess->original_command) {
|
||||
addnewvar("SSH_ORIGINAL_COMMAND", chansess->original_command);
|
||||
}
|
||||
@ -976,11 +984,11 @@ static void execchild(void *user_data) {
|
||||
dropbear_exit("Error changing directory");
|
||||
}
|
||||
|
||||
#ifndef DISABLE_X11FWD
|
||||
#if DROPBEAR_X11FWD
|
||||
/* set up X11 forwarding if enabled */
|
||||
x11setauth(chansess);
|
||||
#endif
|
||||
#ifdef ENABLE_SVR_AGENTFWD
|
||||
#if DROPBEAR_SVR_AGENTFWD
|
||||
/* set up agent env variable */
|
||||
svr_agentset(chansess);
|
||||
#endif
|
||||
|
34
svr-kex.c
34
svr-kex.c
@ -54,18 +54,24 @@ void recv_msg_kexdh_init() {
|
||||
}
|
||||
|
||||
switch (ses.newkeys->algo_kex->mode) {
|
||||
#if DROPBEAR_NORMAL_DH
|
||||
case DROPBEAR_KEX_NORMAL_DH:
|
||||
m_mp_init(&dh_e);
|
||||
if (buf_getmpint(ses.payload, &dh_e) != DROPBEAR_SUCCESS) {
|
||||
dropbear_exit("Bad kex value");
|
||||
}
|
||||
break;
|
||||
case DROPBEAR_KEX_ECDH:
|
||||
case DROPBEAR_KEX_CURVE25519:
|
||||
#if defined(DROPBEAR_ECDH) || defined(DROPBEAR_CURVE25519)
|
||||
ecdh_qs = buf_getstringbuf(ses.payload);
|
||||
#endif
|
||||
#if DROPBEAR_ECDH
|
||||
case DROPBEAR_KEX_ECDH:
|
||||
#endif
|
||||
#if DROPBEAR_CURVE25519
|
||||
case DROPBEAR_KEX_CURVE25519:
|
||||
#endif
|
||||
#if DROPBEAR_ECDH || DROPBEAR_CURVE25519
|
||||
ecdh_qs = buf_getstringbuf(ses.payload);
|
||||
break;
|
||||
#endif
|
||||
}
|
||||
if (ses.payload->pos != ses.payload->len) {
|
||||
dropbear_exit("Bad kex value");
|
||||
@ -85,7 +91,7 @@ void recv_msg_kexdh_init() {
|
||||
}
|
||||
|
||||
|
||||
#ifdef DROPBEAR_DELAY_HOSTKEY
|
||||
#if DROPBEAR_DELAY_HOSTKEY
|
||||
|
||||
static void svr_ensure_hostkey() {
|
||||
|
||||
@ -100,17 +106,17 @@ static void svr_ensure_hostkey() {
|
||||
|
||||
switch (type)
|
||||
{
|
||||
#ifdef DROPBEAR_RSA
|
||||
#if DROPBEAR_RSA
|
||||
case DROPBEAR_SIGNKEY_RSA:
|
||||
fn = RSA_PRIV_FILENAME;
|
||||
break;
|
||||
#endif
|
||||
#ifdef DROPBEAR_DSS
|
||||
#if DROPBEAR_DSS
|
||||
case DROPBEAR_SIGNKEY_DSS:
|
||||
fn = DSS_PRIV_FILENAME;
|
||||
break;
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECDSA
|
||||
#if DROPBEAR_ECDSA
|
||||
case DROPBEAR_SIGNKEY_ECDSA_NISTP256:
|
||||
case DROPBEAR_SIGNKEY_ECDSA_NISTP384:
|
||||
case DROPBEAR_SIGNKEY_ECDSA_NISTP521:
|
||||
@ -166,7 +172,7 @@ static void send_msg_kexdh_reply(mp_int *dh_e, buffer *ecdh_qs) {
|
||||
/* we can start creating the kexdh_reply packet */
|
||||
CHECKCLEARTOWRITE();
|
||||
|
||||
#ifdef DROPBEAR_DELAY_HOSTKEY
|
||||
#if DROPBEAR_DELAY_HOSTKEY
|
||||
if (svr_opts.delay_hostkey)
|
||||
{
|
||||
svr_ensure_hostkey();
|
||||
@ -178,6 +184,7 @@ static void send_msg_kexdh_reply(mp_int *dh_e, buffer *ecdh_qs) {
|
||||
ses.newkeys->algo_hostkey);
|
||||
|
||||
switch (ses.newkeys->algo_kex->mode) {
|
||||
#if DROPBEAR_NORMAL_DH
|
||||
case DROPBEAR_KEX_NORMAL_DH:
|
||||
{
|
||||
struct kex_dh_param * dh_param = gen_kexdh_param();
|
||||
@ -188,8 +195,9 @@ static void send_msg_kexdh_reply(mp_int *dh_e, buffer *ecdh_qs) {
|
||||
free_kexdh_param(dh_param);
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
#if DROPBEAR_ECDH
|
||||
case DROPBEAR_KEX_ECDH:
|
||||
#ifdef DROPBEAR_ECDH
|
||||
{
|
||||
struct kex_ecdh_param *ecdh_param = gen_kexecdh_param();
|
||||
kexecdh_comb_key(ecdh_param, ecdh_qs, svr_opts.hostkey);
|
||||
@ -197,18 +205,18 @@ static void send_msg_kexdh_reply(mp_int *dh_e, buffer *ecdh_qs) {
|
||||
buf_put_ecc_raw_pubkey_string(ses.writepayload, &ecdh_param->key);
|
||||
free_kexecdh_param(ecdh_param);
|
||||
}
|
||||
#endif
|
||||
break;
|
||||
#endif
|
||||
#if DROPBEAR_CURVE25519
|
||||
case DROPBEAR_KEX_CURVE25519:
|
||||
#ifdef DROPBEAR_CURVE25519
|
||||
{
|
||||
struct kex_curve25519_param *param = gen_kexcurve25519_param();
|
||||
kexcurve25519_comb_key(param, ecdh_qs, svr_opts.hostkey);
|
||||
buf_putstring(ses.writepayload, (const char*)param->pub, CURVE25519_LEN);
|
||||
free_kexcurve25519_param(param);
|
||||
}
|
||||
#endif
|
||||
break;
|
||||
#endif
|
||||
}
|
||||
|
||||
/* calc the signature */
|
||||
|
@ -43,8 +43,8 @@ static void main_noinetd(void);
|
||||
#endif
|
||||
static void commonsetup(void);
|
||||
|
||||
#if defined(DBMULTI_dropbear) || !defined(DROPBEAR_MULTI)
|
||||
#if defined(DBMULTI_dropbear) && defined(DROPBEAR_MULTI)
|
||||
#if defined(DBMULTI_dropbear) || !DROPBEAR_MULTI
|
||||
#if defined(DBMULTI_dropbear) && DROPBEAR_MULTI
|
||||
int dropbear_main(int argc, char ** argv)
|
||||
#else
|
||||
int main(int argc, char ** argv)
|
||||
@ -144,7 +144,7 @@ static void main_noinetd() {
|
||||
/* fork */
|
||||
if (svr_opts.forkbg) {
|
||||
int closefds = 0;
|
||||
#ifndef DEBUG_TRACE
|
||||
#if !DEBUG_TRACE
|
||||
if (!opts.usingsyslog) {
|
||||
closefds = 1;
|
||||
}
|
||||
@ -429,7 +429,7 @@ static size_t listensockets(int *socks, size_t sockcount, int *maxfd) {
|
||||
for (n = 0; n < (unsigned int)nsock; n++) {
|
||||
int sock = socks[sockpos + n];
|
||||
set_sock_priority(sock, DROPBEAR_PRIO_LOWDELAY);
|
||||
#ifdef DROPBEAR_SERVER_TCP_FAST_OPEN
|
||||
#if DROPBEAR_SERVER_TCP_FAST_OPEN
|
||||
set_listen_fast_open(sock);
|
||||
#endif
|
||||
}
|
||||
|
@ -46,16 +46,16 @@ static void printhelp(const char * progname) {
|
||||
" (default: none)\n"
|
||||
"-r keyfile Specify hostkeys (repeatable)\n"
|
||||
" defaults: \n"
|
||||
#ifdef DROPBEAR_DSS
|
||||
#if DROPBEAR_DSS
|
||||
" dss %s\n"
|
||||
#endif
|
||||
#ifdef DROPBEAR_RSA
|
||||
#if DROPBEAR_RSA
|
||||
" rsa %s\n"
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECDSA
|
||||
#if DROPBEAR_ECDSA
|
||||
" ecdsa %s\n"
|
||||
#endif
|
||||
#ifdef DROPBEAR_DELAY_HOSTKEY
|
||||
#if DROPBEAR_DELAY_HOSTKEY
|
||||
"-R Create hostkeys as required\n"
|
||||
#endif
|
||||
"-F Don't fork into background\n"
|
||||
@ -68,17 +68,18 @@ static void printhelp(const char * progname) {
|
||||
"-m Don't display the motd on login\n"
|
||||
#endif
|
||||
"-w Disallow root logins\n"
|
||||
#if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
|
||||
#if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH
|
||||
"-s Disable password logins\n"
|
||||
"-g Disable password logins for root\n"
|
||||
"-B Allow blank password logins\n"
|
||||
#endif
|
||||
#ifdef ENABLE_SVR_LOCALTCPFWD
|
||||
#if DROPBEAR_SVR_LOCALTCPFWD
|
||||
"-j Disable local port forwarding\n"
|
||||
#endif
|
||||
#ifdef ENABLE_SVR_REMOTETCPFWD
|
||||
#if DROPBEAR_SVR_REMOTETCPFWD
|
||||
"-k Disable remote port forwarding\n"
|
||||
"-a Allow connections to forwarded ports from any host\n"
|
||||
"-c command Force executed command\n"
|
||||
#endif
|
||||
"-p [address:]port\n"
|
||||
" Listen on specified tcp port (and optionally address),\n"
|
||||
@ -93,17 +94,17 @@ static void printhelp(const char * progname) {
|
||||
"-K <keepalive> (0 is never, default %d, in seconds)\n"
|
||||
"-I <idle_timeout> (0 is never, default %d, in seconds)\n"
|
||||
"-V Version\n"
|
||||
#ifdef DEBUG_TRACE
|
||||
#if DEBUG_TRACE
|
||||
"-v verbose (compiled with DEBUG_TRACE)\n"
|
||||
#endif
|
||||
,DROPBEAR_VERSION, progname,
|
||||
#ifdef DROPBEAR_DSS
|
||||
#if DROPBEAR_DSS
|
||||
DSS_PRIV_FILENAME,
|
||||
#endif
|
||||
#ifdef DROPBEAR_RSA
|
||||
#if DROPBEAR_RSA
|
||||
RSA_PRIV_FILENAME,
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECDSA
|
||||
#if DROPBEAR_ECDSA
|
||||
ECDSA_PRIV_FILENAME,
|
||||
#endif
|
||||
DROPBEAR_MAX_PORTS, DROPBEAR_DEFPORT, DROPBEAR_PIDFILE,
|
||||
@ -125,6 +126,7 @@ void svr_getopts(int argc, char ** argv) {
|
||||
/* see printhelp() for options */
|
||||
svr_opts.bannerfile = NULL;
|
||||
svr_opts.banner = NULL;
|
||||
svr_opts.forced_command = NULL;
|
||||
svr_opts.forkbg = 1;
|
||||
svr_opts.norootlogin = 0;
|
||||
svr_opts.noauthpass = 0;
|
||||
@ -135,19 +137,15 @@ void svr_getopts(int argc, char ** argv) {
|
||||
svr_opts.hostkey = NULL;
|
||||
svr_opts.delay_hostkey = 0;
|
||||
svr_opts.pidfile = DROPBEAR_PIDFILE;
|
||||
#ifdef ENABLE_SVR_LOCALTCPFWD
|
||||
#if DROPBEAR_SVR_LOCALTCPFWD
|
||||
svr_opts.nolocaltcp = 0;
|
||||
#endif
|
||||
#ifdef ENABLE_SVR_REMOTETCPFWD
|
||||
#if DROPBEAR_SVR_REMOTETCPFWD
|
||||
svr_opts.noremotetcp = 0;
|
||||
#endif
|
||||
|
||||
#ifndef DISABLE_ZLIB
|
||||
#if DROPBEAR_SERVER_DELAY_ZLIB
|
||||
opts.compress_mode = DROPBEAR_COMPRESS_DELAYED;
|
||||
#else
|
||||
opts.compress_mode = DROPBEAR_COMPRESS_ON;
|
||||
#endif
|
||||
#endif
|
||||
|
||||
/* not yet
|
||||
@ -164,7 +162,7 @@ void svr_getopts(int argc, char ** argv) {
|
||||
opts.keepalive_secs = DEFAULT_KEEPALIVE;
|
||||
opts.idle_timeout_secs = DEFAULT_IDLE_TIMEOUT;
|
||||
|
||||
#ifdef ENABLE_SVR_REMOTETCPFWD
|
||||
#if DROPBEAR_SVR_REMOTETCPFWD
|
||||
opts.listen_fwd_all = 0;
|
||||
#endif
|
||||
|
||||
@ -177,6 +175,9 @@ void svr_getopts(int argc, char ** argv) {
|
||||
case 'b':
|
||||
next = &svr_opts.bannerfile;
|
||||
break;
|
||||
case 'c':
|
||||
next = &svr_opts.forced_command;
|
||||
break;
|
||||
case 'd':
|
||||
case 'r':
|
||||
next = &keyfile;
|
||||
@ -192,12 +193,12 @@ void svr_getopts(int argc, char ** argv) {
|
||||
opts.usingsyslog = 0;
|
||||
break;
|
||||
#endif
|
||||
#ifdef ENABLE_SVR_LOCALTCPFWD
|
||||
#if DROPBEAR_SVR_LOCALTCPFWD
|
||||
case 'j':
|
||||
svr_opts.nolocaltcp = 1;
|
||||
break;
|
||||
#endif
|
||||
#ifdef ENABLE_SVR_REMOTETCPFWD
|
||||
#if DROPBEAR_SVR_REMOTETCPFWD
|
||||
case 'k':
|
||||
svr_opts.noremotetcp = 1;
|
||||
break;
|
||||
@ -234,7 +235,7 @@ void svr_getopts(int argc, char ** argv) {
|
||||
case 'I':
|
||||
next = &idle_timeout_arg;
|
||||
break;
|
||||
#if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
|
||||
#if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH
|
||||
case 's':
|
||||
svr_opts.noauthpass = 1;
|
||||
break;
|
||||
@ -252,7 +253,7 @@ void svr_getopts(int argc, char ** argv) {
|
||||
case 'u':
|
||||
/* backwards compatibility with old urandom option */
|
||||
break;
|
||||
#ifdef DEBUG_TRACE
|
||||
#if DEBUG_TRACE
|
||||
case 'v':
|
||||
debug_trace = 1;
|
||||
break;
|
||||
@ -346,6 +347,10 @@ void svr_getopts(int argc, char ** argv) {
|
||||
}
|
||||
opts.idle_timeout_secs = val;
|
||||
}
|
||||
|
||||
if (svr_opts.forced_command) {
|
||||
dropbear_log(LOG_INFO, "Forced command set to '%s'", svr_opts.forced_command);
|
||||
}
|
||||
}
|
||||
|
||||
static void addportandaddress(const char* spec) {
|
||||
@ -434,30 +439,30 @@ static void loadhostkey(const char *keyfile, int fatal_duplicate) {
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef DROPBEAR_RSA
|
||||
#if DROPBEAR_RSA
|
||||
if (type == DROPBEAR_SIGNKEY_RSA) {
|
||||
loadhostkey_helper("RSA", (void**)&read_key->rsakey, (void**)&svr_opts.hostkey->rsakey, fatal_duplicate);
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef DROPBEAR_DSS
|
||||
#if DROPBEAR_DSS
|
||||
if (type == DROPBEAR_SIGNKEY_DSS) {
|
||||
loadhostkey_helper("DSS", (void**)&read_key->dsskey, (void**)&svr_opts.hostkey->dsskey, fatal_duplicate);
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef DROPBEAR_ECDSA
|
||||
#ifdef DROPBEAR_ECC_256
|
||||
#if DROPBEAR_ECDSA
|
||||
#if DROPBEAR_ECC_256
|
||||
if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP256) {
|
||||
loadhostkey_helper("ECDSA256", (void**)&read_key->ecckey256, (void**)&svr_opts.hostkey->ecckey256, fatal_duplicate);
|
||||
}
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECC_384
|
||||
#if DROPBEAR_ECC_384
|
||||
if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP384) {
|
||||
loadhostkey_helper("ECDSA384", (void**)&read_key->ecckey384, (void**)&svr_opts.hostkey->ecckey384, fatal_duplicate);
|
||||
}
|
||||
#endif
|
||||
#ifdef DROPBEAR_ECC_521
|
||||
#if DROPBEAR_ECC_521
|
||||
if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP521) {
|
||||
loadhostkey_helper("ECDSA521", (void**)&read_key->ecckey521, (void**)&svr_opts.hostkey->ecckey521, fatal_duplicate);
|
||||
}
|
||||
@ -488,25 +493,25 @@ void load_all_hostkeys() {
|
||||
m_free(hostkey_file);
|
||||
}
|
||||
|
||||
#ifdef DROPBEAR_RSA
|
||||
#if DROPBEAR_RSA
|
||||
loadhostkey(RSA_PRIV_FILENAME, 0);
|
||||
#endif
|
||||
|
||||
#ifdef DROPBEAR_DSS
|
||||
#if DROPBEAR_DSS
|
||||
loadhostkey(DSS_PRIV_FILENAME, 0);
|
||||
#endif
|
||||
|
||||
#ifdef DROPBEAR_ECDSA
|
||||
#if DROPBEAR_ECDSA
|
||||
loadhostkey(ECDSA_PRIV_FILENAME, 0);
|
||||
#endif
|
||||
|
||||
#ifdef DROPBEAR_DELAY_HOSTKEY
|
||||
#if DROPBEAR_DELAY_HOSTKEY
|
||||
if (svr_opts.delay_hostkey) {
|
||||
disable_unset_keys = 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef DROPBEAR_RSA
|
||||
#if DROPBEAR_RSA
|
||||
if (disable_unset_keys && !svr_opts.hostkey->rsakey) {
|
||||
disablekey(DROPBEAR_SIGNKEY_RSA);
|
||||
} else {
|
||||
@ -514,7 +519,7 @@ void load_all_hostkeys() {
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef DROPBEAR_DSS
|
||||
#if DROPBEAR_DSS
|
||||
if (disable_unset_keys && !svr_opts.hostkey->dsskey) {
|
||||
disablekey(DROPBEAR_SIGNKEY_DSS);
|
||||
} else {
|
||||
@ -523,8 +528,8 @@ void load_all_hostkeys() {
|
||||
#endif
|
||||
|
||||
|
||||
#ifdef DROPBEAR_ECDSA
|
||||
#ifdef DROPBEAR_ECC_256
|
||||
#if DROPBEAR_ECDSA
|
||||
#if DROPBEAR_ECC_256
|
||||
if ((disable_unset_keys || ECDSA_DEFAULT_SIZE != 256)
|
||||
&& !svr_opts.hostkey->ecckey256) {
|
||||
disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP256);
|
||||
@ -533,7 +538,7 @@ void load_all_hostkeys() {
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef DROPBEAR_ECC_384
|
||||
#if DROPBEAR_ECC_384
|
||||
if ((disable_unset_keys || ECDSA_DEFAULT_SIZE != 384)
|
||||
&& !svr_opts.hostkey->ecckey384) {
|
||||
disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP384);
|
||||
@ -542,7 +547,7 @@ void load_all_hostkeys() {
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef DROPBEAR_ECC_521
|
||||
#if DROPBEAR_ECC_521
|
||||
if ((disable_unset_keys || ECDSA_DEFAULT_SIZE != 521)
|
||||
&& !svr_opts.hostkey->ecckey521) {
|
||||
disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP521);
|
||||
|
@ -62,7 +62,7 @@ static const packettype svr_packettypes[] = {
|
||||
{SSH_MSG_CHANNEL_FAILURE, ignore_recv_response},
|
||||
{SSH_MSG_REQUEST_FAILURE, ignore_recv_response}, /* for keepalive */
|
||||
{SSH_MSG_REQUEST_SUCCESS, ignore_recv_response}, /* client */
|
||||
#ifdef USING_LISTENERS
|
||||
#if DROPBEAR_LISTENERS
|
||||
{SSH_MSG_CHANNEL_OPEN_CONFIRMATION, recv_msg_channel_open_confirmation},
|
||||
{SSH_MSG_CHANNEL_OPEN_FAILURE, recv_msg_channel_open_failure},
|
||||
#endif
|
||||
@ -71,7 +71,7 @@ static const packettype svr_packettypes[] = {
|
||||
|
||||
static const struct ChanType *svr_chantypes[] = {
|
||||
&svrchansess,
|
||||
#ifdef ENABLE_SVR_LOCALTCPFWD
|
||||
#if DROPBEAR_SVR_LOCALTCPFWD
|
||||
&svr_chan_tcpdirect,
|
||||
#endif
|
||||
NULL /* Null termination is mandatory. */
|
||||
@ -96,7 +96,7 @@ void svr_session(int sock, int childpipe) {
|
||||
|
||||
/* Initialise server specific parts of the session */
|
||||
svr_ses.childpipe = childpipe;
|
||||
#ifdef USE_VFORK
|
||||
#if DROPBEAR_VFORK
|
||||
svr_ses.server_pid = getpid();
|
||||
#endif
|
||||
svr_authinitialise();
|
||||
@ -172,7 +172,7 @@ void svr_dropbear_exit(int exitcode, const char* format, va_list param) {
|
||||
|
||||
dropbear_log(LOG_INFO, "%s", fullmsg);
|
||||
|
||||
#ifdef USE_VFORK
|
||||
#if DROPBEAR_VFORK
|
||||
/* For uclinux only the main server process should cleanup - we don't want
|
||||
* forked children doing that */
|
||||
if (svr_ses.server_pid == getpid())
|
||||
@ -213,7 +213,7 @@ void svr_dropbear_log(int priority, const char* format, va_list param) {
|
||||
|
||||
/* if we are using DEBUG_TRACE, we want to print to stderr even if
|
||||
* syslog is used, so it is included in error reports */
|
||||
#ifdef DEBUG_TRACE
|
||||
#if DEBUG_TRACE
|
||||
havetrace = debug_trace;
|
||||
#endif
|
||||
|
||||
|
12
svr-tcpfwd.c
12
svr-tcpfwd.c
@ -35,7 +35,7 @@
|
||||
#include "auth.h"
|
||||
#include "netio.h"
|
||||
|
||||
#ifndef ENABLE_SVR_REMOTETCPFWD
|
||||
#ifndef DROPBEAR_SVR_REMOTETCPFWD
|
||||
|
||||
/* This is better than SSH_MSG_UNIMPLEMENTED */
|
||||
void recv_msg_global_request_remotetcp() {
|
||||
@ -44,13 +44,13 @@ void recv_msg_global_request_remotetcp() {
|
||||
}
|
||||
|
||||
/* */
|
||||
#endif /* !ENABLE_SVR_REMOTETCPFWD */
|
||||
#endif /* !DROPBEAR_SVR_REMOTETCPFWD */
|
||||
|
||||
static int svr_cancelremotetcp(void);
|
||||
static int svr_remotetcpreq(void);
|
||||
static int newtcpdirect(struct Channel * channel);
|
||||
|
||||
#ifdef ENABLE_SVR_REMOTETCPFWD
|
||||
#if DROPBEAR_SVR_REMOTETCPFWD
|
||||
static const struct ChanType svr_chan_tcpremote = {
|
||||
1, /* sepfds */
|
||||
"forwarded-tcpip",
|
||||
@ -215,9 +215,9 @@ out:
|
||||
return ret;
|
||||
}
|
||||
|
||||
#endif /* ENABLE_SVR_REMOTETCPFWD */
|
||||
#endif /* DROPBEAR_SVR_REMOTETCPFWD */
|
||||
|
||||
#ifdef ENABLE_SVR_LOCALTCPFWD
|
||||
#if DROPBEAR_SVR_LOCALTCPFWD
|
||||
|
||||
const struct ChanType svr_chan_tcpdirect = {
|
||||
1, /* sepfds */
|
||||
@ -283,4 +283,4 @@ out:
|
||||
return err;
|
||||
}
|
||||
|
||||
#endif /* ENABLE_SVR_LOCALTCPFWD */
|
||||
#endif /* DROPBEAR_SVR_LOCALTCPFWD */
|
||||
|
@ -24,7 +24,7 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#ifndef DISABLE_X11FWD
|
||||
#if DROPBEAR_X11FWD
|
||||
#include "x11fwd.h"
|
||||
#include "session.h"
|
||||
#include "ssh.h"
|
||||
|
140
sysoptions.h
140
sysoptions.h
@ -23,14 +23,20 @@
|
||||
#define AUTH_TIMEOUT 300 /* we choose 5 minutes */
|
||||
#endif
|
||||
|
||||
#define DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT ((DROPBEAR_SVR_PUBKEY_AUTH) && (DROPBEAR_SVR_PUBKEY_OPTIONS))
|
||||
|
||||
/* A client should try and send an initial key exchange packet guessing
|
||||
* the algorithm that will match - saves a round trip connecting, has little
|
||||
* overhead if the guess was "wrong". */
|
||||
#define USE_KEX_FIRST_FOLLOWS
|
||||
#ifndef DROPBEAR_KEX_FIRST_FOLLOWS
|
||||
#define DROPBEAR_KEX_FIRST_FOLLOWS 1
|
||||
#endif
|
||||
/* Use protocol extension to allow "first follows" to succeed more frequently.
|
||||
* This is currently Dropbear-specific but will gracefully fallback when connecting
|
||||
* to other implementations. */
|
||||
#define USE_KEXGUESS2
|
||||
#ifndef DROPBEAR_KEXGUESS2
|
||||
#define DROPBEAR_KEXGUESS2 1
|
||||
#endif
|
||||
|
||||
/* Minimum key sizes for DSS and RSA */
|
||||
#ifndef MIN_DSS_KEYLEN
|
||||
@ -68,11 +74,11 @@
|
||||
/* success/failure defines */
|
||||
#define DROPBEAR_SUCCESS 0
|
||||
#define DROPBEAR_FAILURE -1
|
||||
|
||||
#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"
|
||||
|
||||
/* Required for pubkey auth */
|
||||
#if defined(ENABLE_SVR_PUBKEY_AUTH) || defined(DROPBEAR_CLIENT)
|
||||
#define DROPBEAR_SIGNKEY_VERIFY
|
||||
#endif
|
||||
#define DROPBEAR_SIGNKEY_VERIFY ((DROPBEAR_SVR_PUBKEY_AUTH) || (DROPBEAR_CLIENT))
|
||||
|
||||
#define SHA1_HASH_SIZE 20
|
||||
#define MD5_HASH_SIZE 16
|
||||
@ -81,56 +87,45 @@
|
||||
#define MAX_KEY_LEN 32 /* 256 bits for aes256 etc */
|
||||
#define MAX_IV_LEN 20 /* must be same as max blocksize, */
|
||||
|
||||
#if defined(DROPBEAR_SHA2_512_HMAC)
|
||||
#if DROPBEAR_SHA2_512_HMAC
|
||||
#define MAX_MAC_LEN 64
|
||||
#elif defined(DROPBEAR_SHA2_256_HMAC)
|
||||
#elif DROPBEAR_SHA2_256_HMAC
|
||||
#define MAX_MAC_LEN 32
|
||||
#else
|
||||
#define MAX_MAC_LEN 20
|
||||
#endif
|
||||
|
||||
#if defined(DROPBEAR_ECDH) || defined (DROPBEAR_ECDSA)
|
||||
#define DROPBEAR_ECC
|
||||
|
||||
#define DROPBEAR_ECC ((DROPBEAR_ECDH) || (DROPBEAR_ECDSA))
|
||||
|
||||
/* Debian doesn't define this in system headers */
|
||||
#ifndef LTM_DESC
|
||||
#define LTM_DESC
|
||||
#endif
|
||||
#if !defined(LTM_DESC) && (DROPBEAR_ECC)
|
||||
#define LTM_DESC
|
||||
#endif
|
||||
|
||||
#ifdef DROPBEAR_ECC
|
||||
#define DROPBEAR_ECC_256
|
||||
#define DROPBEAR_ECC_384
|
||||
#define DROPBEAR_ECC_521
|
||||
#endif
|
||||
#define DROPBEAR_ECC_256 (DROPBEAR_ECC)
|
||||
#define DROPBEAR_ECC_384 (DROPBEAR_ECC)
|
||||
#define DROPBEAR_ECC_521 (DROPBEAR_ECC)
|
||||
|
||||
#ifdef DROPBEAR_ECC
|
||||
#define DROPBEAR_LTC_PRNG
|
||||
#endif
|
||||
#define DROPBEAR_LTC_PRNG (DROPBEAR_ECC)
|
||||
|
||||
/* RSA can be vulnerable to timing attacks which use the time required for
|
||||
* signing to guess the private key. Blinding avoids this attack, though makes
|
||||
* signing operations slightly slower. */
|
||||
#define RSA_BLINDING
|
||||
#define DROPBEAR_RSA_BLINDING 1
|
||||
|
||||
/* hashes which will be linked and registered */
|
||||
#if defined(DROPBEAR_SHA2_256_HMAC) || defined(DROPBEAR_ECC_256) || defined(DROPBEAR_CURVE25519) || DROPBEAR_DH_GROUP14
|
||||
#define DROPBEAR_SHA256
|
||||
#endif
|
||||
#if defined(DROPBEAR_ECC_384)
|
||||
#define DROPBEAR_SHA384
|
||||
#endif
|
||||
#define DROPBEAR_SHA256 ((DROPBEAR_SHA2_256_HMAC) || (DROPBEAR_ECC_256) \
|
||||
|| (DROPBEAR_CURVE25519) || (DROPBEAR_DH_GROUP14_SHA256))
|
||||
#define DROPBEAR_SHA384 (DROPBEAR_ECC_384)
|
||||
/* LTC SHA384 depends on SHA512 */
|
||||
#if defined(DROPBEAR_SHA2_512_HMAC) || defined(DROPBEAR_ECC_521) || defined(DROPBEAR_ECC_384) || DROPBEAR_DH_GROUP16
|
||||
#define DROPBEAR_SHA512
|
||||
#endif
|
||||
#if defined(DROPBEAR_MD5_HMAC)
|
||||
#define DROPBEAR_MD5
|
||||
#endif
|
||||
#define DROPBEAR_SHA512 ((DROPBEAR_SHA2_512_HMAC) || (DROPBEAR_ECC_521) \
|
||||
|| (DROPBEAR_SHA384) || (DROPBEAR_DH_GROUP16))
|
||||
#define DROPBEAR_MD5 (DROPBEAR_MD5_HMAC)
|
||||
|
||||
/* These are disabled in Dropbear 2016.73 by default since the spec
|
||||
draft-ietf-curdle-ssh-kex-sha2-02 is under development. */
|
||||
#define DROPBEAR_DH_GROUP14_256 0
|
||||
#define DROPBEAR_DH_GROUP16 0
|
||||
#define DROPBEAR_DH_GROUP14 ((DROPBEAR_DH_GROUP14_SHA256) || (DROPBEAR_DH_GROUP14_SHA1))
|
||||
|
||||
#define DROPBEAR_NORMAL_DH ((DROPBEAR_DH_GROUP1) || (DROPBEAR_DH_GROUP14) || (DROPBEAR_DH_GROUP16))
|
||||
|
||||
/* roughly 2x 521 bits */
|
||||
#define MAX_ECC_SIZE 140
|
||||
@ -182,65 +177,47 @@
|
||||
auth */
|
||||
|
||||
|
||||
#if defined(DROPBEAR_AES256) || defined(DROPBEAR_AES128)
|
||||
#define DROPBEAR_AES
|
||||
#endif
|
||||
#define DROPBEAR_AES ((DROPBEAR_AES256) || (DROPBEAR_AES128))
|
||||
|
||||
#if defined(DROPBEAR_TWOFISH256) || defined(DROPBEAR_TWOFISH128)
|
||||
#define DROPBEAR_TWOFISH
|
||||
#endif
|
||||
#define DROPBEAR_TWOFISH ((DROPBEAR_TWOFISH256) || (DROPBEAR_TWOFISH128))
|
||||
|
||||
#ifndef ENABLE_X11FWD
|
||||
#define DISABLE_X11FWD
|
||||
#endif
|
||||
#define DROPBEAR_CLI_ANYTCPFWD ((DROPBEAR_CLI_REMOTETCPFWD) || (DROPBEAR_CLI_LOCALTCPFWD))
|
||||
|
||||
#if defined(ENABLE_CLI_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD)
|
||||
#define ENABLE_CLI_ANYTCPFWD
|
||||
#endif
|
||||
#define DROPBEAR_TCP_ACCEPT ((DROPBEAR_CLI_LOCALTCPFWD) || (DROPBEAR_SVR_REMOTETCPFWD))
|
||||
|
||||
#if defined(ENABLE_CLI_LOCALTCPFWD) || defined(ENABLE_SVR_REMOTETCPFWD)
|
||||
#define DROPBEAR_TCP_ACCEPT
|
||||
#endif
|
||||
#define DROPBEAR_LISTENERS \
|
||||
((DROPBEAR_CLI_REMOTETCPFWD) || (DROPBEAR_CLI_LOCALTCPFWD) || \
|
||||
(DROPBEAR_SVR_REMOTETCPFWD) || (DROPBEAR_SVR_LOCALTCPFWD) || \
|
||||
(DROPBEAR_SVR_AGENTFWD) || (DROPBEAR_X11FWD))
|
||||
|
||||
#if defined(ENABLE_CLI_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD) || \
|
||||
defined(ENABLE_SVR_REMOTETCPFWD) || defined(ENABLE_SVR_LOCALTCPFWD) || \
|
||||
defined(ENABLE_SVR_AGENTFWD) || defined(ENABLE_X11FWD)
|
||||
#define USING_LISTENERS
|
||||
#endif
|
||||
#define DROPBEAR_CLI_MULTIHOP ((DROPBEAR_CLI_NETCAT) && (DROPBEAR_CLI_PROXYCMD))
|
||||
|
||||
#if defined(ENABLE_CLI_NETCAT) && defined(ENABLE_CLI_PROXYCMD)
|
||||
#define ENABLE_CLI_MULTIHOP
|
||||
#endif
|
||||
#define ENABLE_CONNECT_UNIX ((DROPBEAR_CLI_AGENTFWD) || (DROPBEAR_PRNGD_SOCKET))
|
||||
|
||||
#if defined(ENABLE_CLI_AGENTFWD) || defined(DROPBEAR_PRNGD_SOCKET)
|
||||
#define ENABLE_CONNECT_UNIX
|
||||
#endif
|
||||
|
||||
#if defined(DROPBEAR_CLIENT) || defined(ENABLE_SVR_PUBKEY_AUTH)
|
||||
#define DROPBEAR_KEY_LINES /* ie we're using authorized_keys or known_hosts */
|
||||
#endif
|
||||
/* if we're using authorized_keys or known_hosts */
|
||||
#define DROPBEAR_KEY_LINES ((DROPBEAR_CLIENT) || (DROPBEAR_SVR_PUBKEY_AUTH))
|
||||
|
||||
/* Changing this is inadvisable, it appears to have problems
|
||||
* with flushing compressed data */
|
||||
#define DROPBEAR_ZLIB_MEM_LEVEL 8
|
||||
|
||||
#if defined(ENABLE_SVR_PASSWORD_AUTH) && defined(ENABLE_SVR_PAM_AUTH)
|
||||
#if (DROPBEAR_SVR_PASSWORD_AUTH) && (DROPBEAR_SVR_PAM_AUTH)
|
||||
#error "You can't turn on PASSWORD and PAM auth both at once. Fix it in options.h"
|
||||
#endif
|
||||
|
||||
/* We use dropbear_client and dropbear_server as shortcuts to avoid redundant
|
||||
* code, if we're just compiling as client or server */
|
||||
#if defined(DROPBEAR_SERVER) && defined(DROPBEAR_CLIENT)
|
||||
#if (DROPBEAR_SERVER) && (DROPBEAR_CLIENT)
|
||||
|
||||
#define IS_DROPBEAR_SERVER (ses.isserver == 1)
|
||||
#define IS_DROPBEAR_CLIENT (ses.isserver == 0)
|
||||
|
||||
#elif defined(DROPBEAR_SERVER)
|
||||
#elif DROPBEAR_SERVER
|
||||
|
||||
#define IS_DROPBEAR_SERVER 1
|
||||
#define IS_DROPBEAR_CLIENT 0
|
||||
|
||||
#elif defined(DROPBEAR_CLIENT)
|
||||
#elif DROPBEAR_CLIENT
|
||||
|
||||
#define IS_DROPBEAR_SERVER 0
|
||||
#define IS_DROPBEAR_CLIENT 1
|
||||
@ -252,9 +229,11 @@
|
||||
|
||||
#endif /* neither DROPBEAR_SERVER nor DROPBEAR_CLIENT */
|
||||
|
||||
#ifndef HAVE_FORK
|
||||
#define USE_VFORK
|
||||
#endif /* don't HAVE_FORK */
|
||||
#ifdef HAVE_FORK
|
||||
#define DROPBEAR_VFORK 0
|
||||
#else
|
||||
#define DROPBEAR_VFORK 1
|
||||
#endif
|
||||
|
||||
#if MAX_UNAUTH_CLIENTS > MAX_CHANNELS
|
||||
#define DROPBEAR_LISTEN_BACKLOG MAX_UNAUTH_CLIENTS
|
||||
@ -262,8 +241,12 @@
|
||||
#define DROPBEAR_LISTEN_BACKLOG MAX_CHANNELS
|
||||
#endif
|
||||
|
||||
#ifndef DROPBEAR_NONE_CIPHER
|
||||
#define DROPBEAR_NONE_CIPHER 0
|
||||
#endif
|
||||
|
||||
/* free memory before exiting */
|
||||
#define DROPBEAR_CLEANUP
|
||||
#define DROPBEAR_CLEANUP 1
|
||||
|
||||
/* Use this string since some implementations might special-case it */
|
||||
#define DROPBEAR_KEEPALIVE_STRING "keepalive@openssh.com"
|
||||
@ -272,8 +255,11 @@
|
||||
* Currently server is enabled but client is disabled by default until there
|
||||
* is further compatibility testing */
|
||||
#ifdef __linux__
|
||||
#define DROPBEAR_SERVER_TCP_FAST_OPEN
|
||||
/* #define DROPBEAR_CLIENT_TCP_FAST_OPEN */
|
||||
#define DROPBEAR_SERVER_TCP_FAST_OPEN 1
|
||||
#define DROPBEAR_CLIENT_TCP_FAST_OPEN 0
|
||||
#else
|
||||
#define DROPBEAR_SERVER_TCP_FAST_OPEN 0
|
||||
#define DROPBEAR_CLIENT_TCP_FAST_OPEN 0
|
||||
#endif
|
||||
|
||||
/* no include guard for this file */
|
||||
|
@ -33,7 +33,7 @@
|
||||
#include "listener.h"
|
||||
#include "runopts.h"
|
||||
|
||||
#ifdef DROPBEAR_TCP_ACCEPT
|
||||
#if DROPBEAR_TCP_ACCEPT
|
||||
|
||||
static void cleanup_tcp(struct Listener *listener) {
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user